Reject insecure SameSite=None cookies

Deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected. Chrome 80 is targeted for enabling this feature by default. Please see https://www.chromium.org/updates/same-site for more updates. This feature is available as of Chrome 76 by enabling the cookies-without-same-site-must-be-secure flag.

Cookies delivered over plaintext channels may be cataloged or modified by network attackers. Requiring secure transport for cookies intended for cross-site usage reduces this risk, and encourages entities that produce embeddable content to migrate to HTTPS. The use of non-Secure cookies facilitates pervasive monitoring, a widespread attack on users’ privacy. This change will mitigate the risks presented by pervasive monitoring by curtailing the use of non-Secure third-party cookies. Third-party cookies are widely used for tracking and may contain sensitive data that pertains to user identity. Cookies with SameSite=None are specifically marked for use in third-party contexts. By requiring SameSite=None cookies to be Secure, users are protected by default from attacks on their identifying data that may compromise their privacy. In addition, non-secure embeds are a risk to users’ privacy and security. The use of non-secure embeds degrades users’ security and user experience on first-party sites by hampering first-party upgrades to secure transport because of limitations imposed on mixed content. The use of HTTPS protects users and sites, and the presence of mixed embedded content downgrades its security benefits. Requiring Secure for SameSite=None cookies will increase the security of the web by encouraging embeddable content producers to migrate to HTTPS.

Documentation

Specification

Working draft or equivalent

Status in Chromium

Blink>Network


Behind a flag (tracking bug) in:

  • Chrome for desktop release 76
  • Chrome for Android release 76
  • Android WebView release 76

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No public signals
  • No public signals
  • No signals

Owners

Last updated on 2019-10-02