Modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http:// site.example and https:// site.example (note: a space was added between the scheme and the domain to prevent automatic link conversion) will now be considered cross-site to each other. Releasing to Stable, as part of a gradual rollout, starting in M88.
Motivation
The SameSite cookie attribute offers defense against CSRF attacks but currently does not consider secure and insecure version of the same domain as being cross-site; because of this, a network attacker could impersonate http:// site.example (or a subdomain) and use that to bypass SameSite protections on https:// site.example. Changing the same-site computation to consider http:// site.example and https:// site.example as cross-site negates this type of attack. This change would align the cookie definition of same-site, and Chrome’s future implementation, with the changes to the WHATWG definition as seen in the explainer.
Documentation
Specification
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 89
- Chrome for Android release 89
Consensus & Standardization
Owners
Intent to Prototype url
Intent to Prototype threadSearch tags
SameSite, Same-site, same site, scheme, schemeful,Last updated on 2021-04-08