This is a tracking task for grouping issues related to the [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite|SameSite]] cookie flag.
`SameSite=Strict` prevents access to the cookie unless the request originates from the same domain. `SameSite=Lax` is similar but exempts top-level GET requests (such as loading a new page by clicking on a link). `SameSite=None` is the traditional behavior (no restrictions) which used to be the default, but modern browsers are increasingly defaulting to `SameSite=Lax`, and also starting to ignore `SameSite=None` when the cookie is not set with the `Secure` flag (and over HTTPS). Some older browsers OTOH interpret any value as `Strict`. ([[https://caniuse.com/#feat=same-site-cookie-attribute|details]], [[https://www.chromium.org/updates/same-site/incompatible-clients|details]])
----
* Chrome (and Edge/Opera): [[https://www.chromestatus.com/feature/5088147346030592|Cookies default to SameSite=Lax]]; [[https://www.chromestatus.com/feature/5633521622188032|Reject insecure SameSite=None cookies]]; both are [[https://www.chromium.org/updates/same-site|being rolled out]] slowly.
* Firefox: Same behavior as Chrome's is enabled in Nightly and 50% of Beta; planning a full rollout but as of 2020 August, [[https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/|no timeline yet]].
For now, both Firefox and Chrome default to None for top-level requests when the cookie is less than two-minutes old. ([[https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/|source]]).
---
Spec:
* [[https://tools.ietf.org/html/draft-west-first-party-cookies-07|Same-site Cookies]]
* [[https://tools.ietf.org/html/draft-west-cookie-incrementalism-01|Incrementally Better Cookies]]
----
Testing:
* current browser behavior: https://samesite-sandbox.glitch.me/ - with the new SameSite behavior, it should be all green.
* Chrome: override with `same-site-by-default-cookies` and `cookies-without-same-site-must-be-secure`
* Firefox: override with `network.cookie.sameSite.laxByDefault` and `network.cookie.sameSite.noneRequiresSecure`