Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`SameSite=Lax` by default. #373

mikewest opened this issue May 8, 2019 · 3 comments


Copy link

commented May 8, 2019

Guten TAG,

I'm requesting a TAG review of:

Further details (optional):

TL;DR: We're proposing treating cookies as SameSite=Lax by defaul. Developers would be able to opt-into the status quo by explicitly asserting SameSite=None, but to do so, they'll also need to ensure that their cookies won't be delivered over non-secure transport by asserting the Secure attribute. The specification (paginated) spells out the proposal in a bit more detail.

  • Relevant time constraints or deadlines: We'd like to begin experimenting with this behavior in the relatively near future, but we're not planning on shipping it tomorrow.
  • I am more or less familiar with the Self-Review Questionnare on Security and Privacy. My assessment is that this is a privacy-positive change, as it entails a strict reduction in cookies going over the wire in plaintext, and that it will be a pretty substantial mitigation against CSRF, etc.
  • I have reviewed the TAG's API Design Principles

We'd prefer the TAG provide feedback as (please select one):

  • open issues in our GitHub repo for each point of feedback
  • open a single issue in our GitHub repo for the entire review
  • leave review feedback as a comment in this issue and @-notify [github usernames]



This comment has been minimized.

Copy link

commented May 22, 2019

Assigning @dbaron and myself because I'd like each of us to talk to colleagues on our teams with the relevant domain expertise.


This comment has been minimized.

Copy link

commented May 23, 2019

Gecko: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure!msg/


This comment has been minimized.

Copy link

commented Jun 10, 2019

Blink: Intent to implement an ship: Cookies with SameSite by default

Note that SameSite=None is currently treated as Strict in iOS / MacOS. I have argued that I don't think we can reasonably ship this in blink as a result (don't want to force developers to rely on UA sniffing). If the CFNetwork fix (rdar://problem/42290578) got back-ported to iOS 12 then that would probably address my concern. Alternately, a different design using a new token (instead of SameSite) could address the adoption concern, but it seems that would probably be a real shame to stick the web with. @hober this is the issue I mentioned at the CSSWG meeting last week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.