Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SameSite=Lax by default. #373

3 of 5 tasks
mikewest opened this issue May 8, 2019 · 7 comments
3 of 5 tasks

SameSite=Lax by default. #373

mikewest opened this issue May 8, 2019 · 7 comments


Copy link

mikewest commented May 8, 2019

Guten TAG,

I'm requesting a TAG review of:

Further details (optional):

TL;DR: We're proposing treating cookies as SameSite=Lax by defaul. Developers would be able to opt-into the status quo by explicitly asserting SameSite=None, but to do so, they'll also need to ensure that their cookies won't be delivered over non-secure transport by asserting the Secure attribute. The specification (paginated) spells out the proposal in a bit more detail.

  • Relevant time constraints or deadlines: We'd like to begin experimenting with this behavior in the relatively near future, but we're not planning on shipping it tomorrow.
  • I am more or less familiar with the Self-Review Questionnare on Security and Privacy. My assessment is that this is a privacy-positive change, as it entails a strict reduction in cookies going over the wire in plaintext, and that it will be a pretty substantial mitigation against CSRF, etc.
  • I have reviewed the TAG's API Design Principles

We'd prefer the TAG provide feedback as (please select one):

  • open issues in our GitHub repo for each point of feedback
  • open a single issue in our GitHub repo for the entire review
  • leave review feedback as a comment in this issue and @-notify [github usernames]


Copy link

hober commented May 22, 2019

Assigning @dbaron and myself because I'd like each of us to talk to colleagues on our teams with the relevant domain expertise.

Copy link

Gecko: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure!msg/

Copy link

RByers commented Jun 10, 2019

Blink: Intent to implement an ship: Cookies with SameSite by default

Note that SameSite=None is currently treated as Strict in iOS / MacOS. I have argued that I don't think we can reasonably ship this in blink as a result (don't want to force developers to rely on UA sniffing). If the CFNetwork fix (rdar://problem/42290578) got back-ported to iOS 12 then that would probably address my concern. Alternately, a different design using a new token (instead of SameSite) could address the adoption concern, but it seems that would probably be a real shame to stick the web with. @hober this is the issue I mentioned at the CSSWG meeting last week.

Copy link

dbaron commented Sep 11, 2019

I'm curious if @bakulf has any interesting feedback from prototyping in Gecko (I also can't tell from the bug what the state of the pref being enabled is).

@mikewest mikewest mentioned this issue Sep 11, 2019
5 tasks
Copy link

bakulf commented Sep 11, 2019

SameSite=Lax by default has been a topic of a couple of dom-security meetings. Currently, this feature is disabled by default, but we have strong interests in enabling in nightly, and maybe in release too. We asked Mark Goodwin to follow this topic, but after that, I don't know what has happened.

Copy link

chlily1 commented Sep 11, 2019

Chrome is looking at enabling this on pre-Stable channels soon.

Copy link

hober commented Dec 5, 2019


@dbaron, @plinss, @ylafon, and I took another look at this in our Cupertino F2F. We're satisfied with how this review has gone and the current direction of the proposal. We're going to close this issue. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

10 participants