The SameSite cookie attribute is used by browsers to identify how first-party and third-party cookies are to be handled. The purpose of the SameSite attribute is to protect the privacy rights of web users and reduce the risk of cross-site request forgeries (CSRF/XSRF). CSRF is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
With the release Chrome 80 the SameSite cookies attribute was turned on by default. Other browsers, such as Microsoft Edge, Firefox, and Safari also support SameSite cookies, but the feature is not always turned on by default.
SameSite attribute values
SameSite has three values for different levels of security:
- Strict: Browsers only send cookies with requests originating from the same domain/site as the target domain. This will stop CSRF attacks.
- Lax: Does not restrict originating site, but enforces target domain to be the same as cookie domain. This will stop cross-site cookies.
- None: Clearly communicates that you intentionally want the cookie sent in a third-party context.
In Chrome 80 and later, cookies that have no declared SameSite value will default to SameSite=Lax. This means that cookies will automatically be sent only in a first party context unless they opt-out by explicitly setting the value None.
Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.