Schemeful same-site

Modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http:// site.example and https:// site.example (note: a space was added between the scheme and the domain to prevent automatic link conversion) will now be considered cross-site to each other. Current plans target an M88 release.

Motivation

The SameSite cookie attribute offers defense against CSRF attacks but currently does not consider secure and insecure version of the same domain as being cross-site; because of this, a network attacker could impersonate http:// site.example (or a subdomain) and use that to bypass SameSite protections on https:// site.example. Changing the same-site computation to consider http:// site.example and https:// site.example as cross-site negates this type of attack. This change would align the cookie definition of same-site, and Chrome’s future implementation, with the changes to the WHATWG definition as seen in the explainer.

Documentation

Specification

Editor's draft

Status in Chromium

Blink>Network


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • Neutral
  • No signal
  • No signals

Owners

Search tags

SameSite, Same-site, same site, scheme, schemeful,

Last updated on 2020-10-25