'SameSite' cookie attribute

Same-site cookies (née "First-Party-Only" (née "First-Party")) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Specification

Editor's draft

Implementation Status

Enabled by default in desktop Chrome 51 (launch bug)

Available in Chrome for Android release 51.

Available in Android WebView release 51.

Consensus & Standardization

• Firefox: Public support
• Edge: No public signals
• Opera: Shipped in release 39
• Opera for Android: Shipped in release 39
• Safari: No public signals
• Web Developers: Positive

Owner

• [email protected]

Last updated on 2016-03-29