I am not sure I totally understand why this is a requirement. If the app simply said "All of my cookies are partioned". If the cookie happens to be recieved in a first-party context, then Partitioning is ignored. What does the above requirement protect against?

@LGraber the __Host- prefix requirement is explained in Partitioned cookies must use the __Host- prefix section.

In summary, there are two main reasons:

1. The __Host- prefix requires cookies also use the Secure attribute.

2. The __Host- prefix disallows sharing cookies between different third-party subdomains in a single partition.

There 2 properties make partitioned cookies as close to third-party origin-bound as possible, which is one of our stated design goals.

The second implication is interesting. The first one, other attributes like SameSite=None have had the implicit requirement that Secure must also be set so ... I don't know the background for why this is required. One thing that this now forces me to research a bit is the cookies generated by cloud platforms like GCP, AWS, and Azure. If we have AWS ELB sitting in front of our embedded component, will we be able to force their cookies to change the name to add the HOST prefix (and if not what is the impact). I know that they all updated to support SameSite=None but this is another requirement. Do you know if GCP will be able to support this?

Not sure if you will see this or if I have to 'un-close' it to ask this part of the question