Modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http:// site.example and https:// site.example (note: a space was added between the scheme and the domain to prevent automatic link conversion) will now be considered cross-site to each other. Releasing to Stable, as part of a gradual rollout, starting in M88.

Motivation

The SameSite cookie attribute offers defense against CSRF attacks but currently does not consider secure and insecure version of the same domain as being cross-site; because of this, a network attacker could impersonate http:// site.example (or a subdomain) and use that to bypass SameSite protections on https:// site.example. Changing the same-site computation to consider http:// site.example and https:// site.example as cross-site negates this type of attack. This change would align the cookie definition of same-site, and Chrome’s future implementation, with the changes to the WHATWG definition as seen in the explainer.

Specification

Editor's draft

Status in Chromium

Blink>Network


Enabled by default (tracking bug) in:

  • Chrome for desktop release 89
  • Chrome for Android release 89

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • Neutral
  • No signal
  • No signals

Owners

Intent to Prototype url

Intent to Prototype thread

Search tags

SameSite, Same-site, same site, scheme, schemeful,

Last updated on 2021-04-24