'SameSite' cookie attribute

Same-site cookies (née "First-Party-Only" (née "First-Party")) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Specification

Editor's draft

Status in Chromium

Blink components: Blink

Enabled by default (tracking bug) in:

Chrome for desktop release 51
Chrome for Android release 51
Android WebView release 51
Opera release 39
Opera for Android release 39

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Shipped
Edge: No public signals
Safari: No public signals
Web Developers: Positive

Owner

mkwst@chromium.org

Last updated on 2018-06-26