Schemeful same-site

Modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http://site.example and https://site.example will now be considered cross-site to each other. Current plans target an M83-84 release.

The SameSite cookie attribute offers defense against CSRF attacks but currently does not consider secure and insecure version of the same domain as being cross-site; because of this, a network attacker could impersonate http://site.example (or a subdomain) and use that to bypass SameSite protections on https://site.example. Changing the same-site computation to consider http://site.example and https://site.example as cross-site negates this type of attack. This change would align the cookie definition of same-site, and Chrome’s future implementation, with the changes to the WHATWG definition as seen in the explainer.

Documentation

Status in Chromium

Blink>Network


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • No signals

Owners

Last updated on 2020-02-26