Samesite Cookies

Samesite cookie?

A cookie sent from juanitofatas.com, then we call SameSite or first party cookies. A cookie sent to stripe.com, which does not match my site is called CrossSite, 3rd party cookies.

Cookies have SameSite attribute of Strict, Lax, and None.

Starting with Chrome 80, all cookies by defaults set to Lax:

Set-Cookie: name=value; SameSite=Lax

Which means any 3rd party cookie will not be sent.

Allow 3rd party cookie

Set-Cookie: name=value; SameSite=None; Secure

3rd party cookie will be sent over HTTPS connection.

Library support

Test your site

chrome://flags, enable these two experiments chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure:

Then go to your site, check console warnings. Make changes accordingly.