Cookies with SameSite by default

Treat cookies as SameSite=Lax by default if no SameSite attribute is specified. Developers would be able to opt-in to the status quo of unrestricted use by explicitly asserting SameSite=None. The Stable version of Chrome 80 is targeted for enabling this feature by default. The feature will be enabled in the Beta version only, starting in Chrome 78. This feature is available as of Chrome 76 by enabling the same-site-by-default-cookies flag.

See also: https://www.chromestatus.com/feature/5633521622188032 (Cookies marked SameSite=None should also be marked Secure.) “SameSite” is a reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks, but developers currently need to opt-into its protections by specifying a SameSite attribute. In other words, developers are vulnerable to CSRF attacks by default. This change would allow developers to be protected by default, while allowing sites that require state in cross-site requests to opt-in to the status quo’s less-secure model. In addition, forcing sites to opt-in to SameSite=None gives the user agent the ability to provide users more transparency and control over tracking. ******NOTE: There is currently a bug affecting Mac OSX and iOS which causes SameSite=None cookies to be inadvertently treated as SameSite=Strict and therefore not sent with cross-site requests. (See https://bugs.webkit.org/show_bug.cgi?id=198181) Until this is fixed, SameSite=None may not work properly on Safari.******

Documentation

Specification

Working draft or equivalent

Status in Chromium

Blink>Network


Behind a flag (tracking bug) in:

  • Chrome for desktop release 76
  • Chrome for Android release 76
  • Android WebView release 76

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No public signals
  • No public signals
  • No signals

Owners

Last updated on 2019-08-16