'SameSite' cookie attribute

Same-site cookies (née "First-Party-Only" (née "First-Party")) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Specification

Editor's draft

Status in Chromium

Blink components: Blink

Enabled by default (launch bug) in:

• Chrome for desktop release 51
• Chrome for Android release 51
• Android WebView release 51
• Opera release 39
• Opera for Android release 39

Consensus & Standardization

• Firefox: Public support
• Edge: No public signals
• Safari: No public signals
• Web Developers: Positive

Owner

• mkwst@chromium.org

Last updated on 2017-06-14