'SameSite' cookie attribute

Same-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Spec	https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07
Status	Other

IE	Edge	Firefox	Chrome	Safari	Opera
		147	144 (3)
		146	143 (3)	TP
		145	142 (3)	26.1
11 (1,2)	141 (3)	144	141 (3)	26.0	122 (3)
10	140 (3)	143	140 (3)	18.5-18.6	121 (3)
9	139 (3)	142	139 (3)	18.4	120 (3)
8	138 (3)	141	138 (3)	18.3	119 (3)
Show all
7	137 (3)	140	137 (3)	18.2	118 (3)
6	136 (3)	139	136 (3)	18.1	117 (3)
5.5	135 (3)	138	135 (3)	18.0	116 (3)
	134 (3)	137	134 (3)	17.6	115 (3)
	133 (3)	136	133 (3)	17.5	114 (3)
	132 (3)	135	132 (3)	17.4	113 (3)
	131 (3)	134	131 (3)	17.3	112 (3)
	130 (3)	133	130 (3)	17.2	111 (3)
	129 (3)	132	129 (3)	17.1	110 (3)
	128 (3)	131	128 (3)	17.0	109 (3)
	127 (3)	130	127 (3)	16.6	108 (3)
	126 (3)	129	126 (3)	16.5	107 (3)
	125 (3)	128	125 (3)	16.4	106 (3)
	124 (3)	127	124 (3)	16.3	105 (3)
	123 (3)	126	123 (3)	16.2	104 (3)
	122 (3)	125	122 (3)	16.1	103 (3)
	121 (3)	124	121 (3)	16.0	102 (3)
	120 (3)	123	120 (3)	15.6	101 (3)
	119 (3)	122	119 (3)	15.5	100 (3)
	118 (3)	121	118 (3)	15.4	99 (3)
	117 (3)	120	117 (3)	15.2-15.3	98 (3)
	116 (3)	119	116 (3)	15.1	97 (3)
	115 (3)	118	115 (3)	15	96 (3)
	114 (3)	117	114 (3)	14.1 (5)	95 (3)
	113 (3)	116	113 (3)	14 (5)	94 (3)
	112 (3)	115	112 (3)	13.1 (4,5)	93 (3)
	111 (3)	114	111 (3)	13 (4,5)	92 (3)
	110 (3)	113	110 (3)	12.1 (4,5)	91 (3)
	109 (3)	112	109 (3)	12 (4,5)	90 (3)
	108 (3)	111	108 (3)	11.1	89 (3)
	107 (3)	110	107 (3)	11	88 (3)
	106 (3)	109	106 (3)	10.1	87 (3)
	105 (3)	108	105 (3)	10	86 (3)
	104 (3)	107	104 (3)	9.1	85 (3)
	103 (3)	106	103 (3)	9	84 (3)
	102 (3)	105	102 (3)	8	83 (3)
	101 (3)	104	101 (3)	7.1	82 (3)
	100 (3)	103	100 (3)	7	81 (3)
	99 (3)	102	99 (3)	6.1	80 (3)
	98 (3)	101	98 (3)	6	79 (3)
	97 (3)	100	97 (3)	5.1	78 (3)
	96 (3)	99	96 (3)	5	77 (3)
	95 (3)	98	95 (3)	4	76 (3)
	94 (3)	97	94 (3)	3.2	75 (3)
	93 (3)	96	93 (3)	3.1	74 (3)
	92 (3)	95	92 (3)		73 (3)
	91 (3)	94	91 (3)		72 (3)
	90 (3)	93	90 (3)		71 (3)
	89 (3)	92	89 (3)		70
	88 (3)	91	88 (3)		69
	87 (3)	90	87 (3)		68
	86 (3)	89	86 (3)		67
	85	88	85 (3)		66
	84	87	84 (3)		65
	83	86	83 (3)		64
	81	85	81 (3)		63
	80	84	80 (3)		62
	79	83	79		60
	18	82	78		58
	17 (1)	81	77		57
	16 (1)	80	76		56
	15	79	75		55
	14	78	74		54
	13	77	73		53
	12	76	72		52
		75	71		51
		74	70		50
		73	69		49
		72	68		48
		71	67		47
		70	66		46
		69	65		45
		68	64		44
		67	63		43
		66	62		42
		65	61		41
		64	60		40
		63	59		39
		62	58		38
		61	57		37
		60	56		36
		59	55		35
		58	54		34
		57	53		33
		56	52		32
		55	51		31
		54	50		30
		53	49		29
		52	48		28
		51	47		27
		50	46		26
		49	45		25
		48	44		24
		47	43		23
		46	42		22
		45	41		21
		44	40		20
		43	39		19
		42	38		18
		41	37		17
		40	36		16
		39	35		15
		38	34		12.1
		37	33		12
		36	32		11.6
		35	31		11.5
		34	30		11.1
		33	29		11
		32	28		10.6
		31	27		10.5
		30	26		10.0-10.1
		29	25		9.5-9.6
		28	24		9
		27	23
		26	22
		25	21
		24	20
		23	19
		22	18
		21	17
		20	16
		19	15
		18	14
		17	13
		16	12
		15	11
		14	10
		13	9
		12	8
		11	7
		10	6
		9	5
		8	4
		7
		6
		5
		4
		3.6
		3.5
		3
		2

Safari on iOS	Opera Mini	Android Browser	Blackberry Browser	Opera Mobile	Android Chrome	Android Firefox	IE Mobile	Android UC Browser	Samsung Internet	QQ Browser	Baidu Browser	KaiOS Browser
26.1
26.0	all	141	10	80 (3)	141 (3)	143	11	15.5	28	14.9	13.52 (3)	3.0-3.1
18.5-18.6		4.4.3-4.4.4	7	12.1			10		27			2.5
18.4		4.4		12					26
18.3		4.2-4.3		11.5					25
Show all
18.2		4.1		11.1					24
18.1		4		11					23
18.0		3		10					22
17.6-17.7		2.3							21
17.5		2.2							20
17.4		2.1							19.0
17.3									18.0
17.2									17.0
17.1									16.0
17.0									15.0
16.6-16.7									14.0
16.5									13.0
16.4									12.0
16.3									11.1-11.2
16.2									10.1
16.1									9.2
16.0									8.2
15.6-15.8									7.2-7.4
15.5									6.2-6.4
15.4									5.0-5.4
15.2-15.3									4
15.0-15.1
14.5-14.8
14.0-14.4
13.4-13.7
13.3
13.2
13.0-13.1
12.2-12.5 (5)
12.0-12.1 (5)
11.3-11.4
11.0-11.2
10.3
10.0-10.2
9.3
9.0-9.2
8.1-8.4
8
7.0-7.1
6.0-6.1
5.0-5.1
4.2-4.3
4.0-4.1
3.2

Notes

This feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients.

1. Not shipped with the initial release but later with the 2018 June security update (Patch Tuesday) to Windows 10 RS3 (2017 Fall Creators Update) and newer. More info.

2. Partial support because only supported in IE 11 on Windows 10 RS3 (2017 Fall Creators Update) and newer, but not in IE 11 on other Windows versions (Windows 7, ...)

3. Cookies without SameSite are treated as Lax by default, SameSite=None cookies without Secure are rejected.

4. Partial due to the lack of support in macOS before 10.14 Mojave.

5. Partial due to the bug that treats SameSite=None and invalid values as Strict in macOS before 10.15 Catalina and in iOS before 13.

Bugs

• On Safari in macOS before 10.14.4 and iOS before 12.2, some authentication flows with a cross-site identity provider might fail when SameSite=Lax is used. See the explanation and a workaround.

• On Safari before 12.1.1 and iOS before 12.3, manually visiting a redirection link to a cross-site omits Lax cookies from the cross-site request. See the bug.

Resources

• Preventing CSRF with the same-site cookie attribute
• Mozilla Bug #795346: Add SameSite support for cookies
• Mozilla Bug #1286861, includes the patches that landed SameSite support in Firefox
• Microsoft Edge Browser Status
• MS Edge dev blog: "Previewing support for same-site cookies in Microsoft Edge"
• Mozilla Bug #1551798: Prototype SameSite=Lax by default
• Same-site cookies demonstration by Rowan Merewood