5

I know the behavior about cookie is changed from chrome 80.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

This blog says, "When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections." Is this meaning that the cookie whose SameSite=None and Secure=False will be rejected by Chrome? Can't we set such a cookie?

I couldn't read that way.

However, in the test way which is written in this blog also indicates, the description says "it will be rejected".

Cookies without SameSite must be secure

If enabled, cookies without SameSite restrictions must also be Secure. If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected. This flag only has an effect if "SameSite by default cookies" is also enabled. – Mac, Windows, Linux, Chrome OS, Android

Is this correct behavior?

Shuhei KOIKE
  • 53
  • 1
  • 4

1 Answers1

4

Correct. If you are setting SameSite=None it must always be Secure. If you do not set Secure, the cookie will be rejected.

Chrome makes two flags available for early testing:

  • chrome://flags/#same-site-by-default-cookies - this flag will treat cookies without a SameSite attribute as if they had SameSite=Lax.
  • chrome://flags/#cookies-without-same-site-must-be-secure - this flag will cause cookies with SameSite=None but missing Secure to be rejected.

While these are two separate changes from a Chrome implementation point of view, developers should look to address this as one change. Review existing cookies and set the appropriate SameSite and Secure attributes where possible.

rowan_m
  • 2,893
  • 15
  • 18
  • Thank you for your answer. I understood. – Shuhei KOIKE Mar 11 '20 at 05:28
  • Is this affected all cookies whether first-party cookie or third-party? – Shuhei KOIKE Mar 11 '20 at 08:15
  • Whether a cookie is first or third party is just down to the context of the request. When a cookie is set with `SameSite=None; Secure` it will be sent on same-site (first party) and cross-site (third-party) requests. – rowan_m Mar 11 '20 at 09:33
  • @rowan_m as youv'e suggested Iv'e updated my cookie to have the flags SameSite=None; Secure. Seems like since the last chrome update on some computers (same chrome versions) it saves the cookies as `same-site connections only`. are you familiar with the problem? – Ben Mar 25 '20 at 10:49
  • 1
    This will not work in Safari samesite=None is also seen as SameSite = strict in safari latest versions Do you guys have any solution ? I couldn`t change browser settting I have to perform task with default setting of safari . –  Mar 10 '21 at 02:54