This is a tracking task for grouping issues related to the [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite|SameSite]] cookie flag.
`SameSite=Strict` prevents access to the cookie unless the request originates from the same domain. `SameSite=Lax` is similar but exempts top-level GET requests (such as loading a new page by clicking on a link). `SameSite=None` is the traditional behavior (no restrictions) which used to be the default, but modern browsers are increasingly defaulting to `SameSite=Lax`, and also starting to ignore `SameSite=None` when the cookie is not set with the `Secure` flag (and over HTTPS). Some older browsers OTOH interpret any value as `Strict`. ([[https://caniuse.com/#feat=same-site-cookie-attribute|details]], [[https://www.chromium.org/updates/same-site/incompatible-clients|details]])
"Same domain" also means same scheme; this might impact mixed-protocol non-Wikimedia sites and leftover HTTP links on Wikimedia sites.
----
* Chrome (and Edge/Opera): [[https://www.chromestatus.com/feature/5088147346030592|Cookies default to SameSite=Lax]]; [[https://www.chromestatus.com/feature/5633521622188032|Reject insecure SameSite=None cookies]]; [[https://chromestatus.com/feature/5096179480133632|Schemeful same-site]] - all fully rolled out.
* Firefox: Same behavior as Chrome (see [[https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/96#http|v96 release notes]])
Both Firefox and Chrome do (did?) default to None for top-level requests when the cookie is less than two-minutes old. ([[https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/|source]]).
---
Spec:
* [[https://tools.ietf.org/html/draft-west-first-party-cookies-07|Same-site Cookies]]
* Incrementally Better Cookies ([[https://tools.ietf.org/html/draft-west-cookie-incrementalism-01|original spec]], [[https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html|latest]])
----
Testing:
* current browser behavior: https://samesite-sandbox.glitch.me/ - with the new SameSite behavior, it should be all green.
* Chrome: override with `same-site-by-default-cookies` and `cookies-without-same-site-must-be-secure`
* Firefox: override with `network.cookie.sameSite.laxByDefault` and `network.cookie.sameSite.noneRequiresSecure`