Reject insecure SameSite=None cookies

Deprecate and remove the ability to set a cookie with SameSite=None that does not also specify Secure. Any cookie that requests SameSite=None but is not marked Secure will be rejected. Chrome 80 is targeted for enabling this feature by default.

Cookies delivered over plaintext channels may be cataloged or modified by network attackers. Requiring secure transport for cookies intended for cross-site usage reduces this risk, and encourages entities that produce embeddable content to migrate to HTTPS.

Documentation

Specification

Working draft or equivalent

Status in Chromium

Blink>Network


Behind a flag (tracking bug) in:

  • Chrome for desktop release 76
  • Chrome for Android release 76
  • Android WebView release 76

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No public signals
  • No public signals
  • No signals

Owners

Last updated on 2019-06-20