Now that support for SameSite=None has been deployed across the web, the next step is restricting third-party cookies by default. If you added SameSite=None to any of your cookies, then you will now need to take further action to migrate or maintain that functionality.
See the Third-party cookie deprecation section in the Privacy Sandbox developer documentation.
This is a companion repo for the
"SameSite cookies explained"
article on web.dev. This is your starting point for how cookies work, the
functionality of the SameSite attribute, and the changes in Chrome to apply a
SameSite=Lax policy by default while requiring the use of
SameSite=None; Secure for cookies in a third-party context.
This functionality is available now in Chrome 76 behind the associated flags to let you test the effect on your site. This is intended to become default behaviour as of Chrome 80.
- Flag:
chrome://flags/#same-site-by-default-cookies - Chrome Status entry:
Cookies with
SameSiteby default
Turn this flag on to have Chrome apply the equivalent of SameSite=Lax to
cookies without a SameSite attribute specified.
- Flag:
chrome://flags/#cookies-without-same-site-must-be-secure - Chrome Status entry:
Reject insecure
SameSite=Nonecookies
Turn on this flag along with the previous flag to have Chrome enforce the need
for any SameSite=None cookie to also specify the Secure attribute.
- Flag
chrome://flags/#cookie-deprecation-messages
This will add console warning messages for every single cookie potentially affected by this change.
Since the vast majority of cookies do not have any SameSite attribute set that
means they are all sent in a cross-site context, regardless of whether or not
the intent is to use them.
As you add the correct SameSite and Secure values to your cookies, you will
be able to use the console warnings to test for any you have missed. Try this
without the previous flags enabled.
In this repo you'll find examples on making use of SameSite=None; Secure in a
variety of languages, libraries, and frameworks. The SameSite attribute is
widely supported, but the addition of the explicit None value may require
updates or work-arounds.
🚧 NOTE: To test the None value is set you need to test in a browser that
parses this addition, e.g. Chrome 76 or above. The changes should be backwards
compatible, but those browsers should ignore the None value so you will not
see it in any cookie view.
If your specific platform isn't covered here, please raise an issue or a pull request to include it.
You can raise an issue in this repo if there is specific behaviour you would like to see documented or something that's not clear in the current examples.
You can also use the
samesite tag on StackOverflow
which we will monitor on a regular basis. As the discussion evolves there, we'll
also add a Frequently Asked Questions section to this repo for easy reference.
Issues and pull requests are always welcome. For details, see CONTRIBUTING
This is not an officially supported Google product.
