A cookie sent from juanitofatas.com, then we call SameSite or first party cookies. A cookie sent to stripe.com, which does not match my site is called CrossSite, 3rd party cookies.
Cookies have SameSite attribute of Strict, Lax, and None.
Starting with Chrome 80, all cookies by defaults set to Lax:
Set-Cookie: name=value; SameSite=Lax
Which means any 3rd party cookie will not be sent.
Set-Cookie: name=value; SameSite=None; Secure
3rd party cookie will be sent over HTTPS connection.
- Use Secure Headers
- Rack 2.2.2+ (introduced in #1358, fixed in #1587)
chrome://flags, enable these two experiments chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure:
Then go to your site, check console warnings. Make changes accordingly.