🍪 SameSite
examples
This is a companion repo for the
"SameSite
cookies explained"
article on web.dev. This is your starting point for how cookies work, the
functionality of the SameSite
attribute, and the changes in Chrome to apply a
SameSite=Lax
policy by default while requiring the use of
SameSite=None; Secure
for cookies in a third-party context.
This functionality is available now in Chrome 76 behind the associated flags to let you test the effect on your site. This is intended to become default behaviour as of Chrome 80.
SameSite=Lax
by default
- Flag:
chrome://flags/#same-site-by-default-cookies
- Chrome Status entry:
Cookies with
SameSite
by default
Turn this flag on to have Chrome apply the equivalent of SameSite=Lax
to
cookies without a SameSite
attribute specified.
Secure
with SameSite=None
Require - Flag:
chrome://flags/#cookies-without-same-site-must-be-secure
- Chrome Status entry:
Reject insecure
SameSite=None
cookies
Turn on this flag along with the previous flag to have Chrome enforce the need
for any SameSite=None
cookie to also specify the Secure
attribute.
See affected cookies
- Flag
chrome://flags/#cookie-deprecation-messages
This will add console warning messages for every single cookie potentially affected by this change.
⚠️ WARNING: You will see a lot of messages! Seriously, a lot of messages.
Since the vast majority of cookies do not have any SameSite
attribute set that
means they are all sent in a cross-site context, regardless of whether or not
the intent is to use them.
As you add the correct SameSite
and Secure
values to your cookies, you will
be able to use the console warnings to test for any you have missed. Try this
without the previous flags enabled.
📋 Examples
In this repo you'll find examples on making use of SameSite=None; Secure
in a
variety of languages, libraries, and frameworks. The SameSite
attribute is
widely supported, but the addition of the explicit None
value may require
updates or work-arounds.
None
value is set you need to test in a browser that
parses this addition, e.g. Chrome 76 or above. The changes should be backwards
compatible, but those browsers should ignore the None
value so you will not
see it in any cookie view.
If your specific platform isn't covered here, please raise an issue or a pull request to include it.
🙋 Questions
You can raise an issue in this repo if there is specific behaviour you would like to see documented or something that's not clear in the current examples.
You can also use the
samesite
tag on StackOverflow
which we will monitor on a regular basis. As the discussion evolves there, we'll
also add a Frequently Asked Questions section to this repo for easy reference.
💻 Contributing
Issues and pull requests are always welcome. For details, see CONTRIBUTING
This is not an officially supported Google product.