Note: Standards related to the Cookie
SameSite attribute recently changed such that:
- The cookie-sending behavior if
SameSiteis not specified is
SameSite=Lax. Previously the default was that cookies were sent for all requests.
- Cookies with
SameSite=Nonemust now also specify the
Secureattribute (they require a secure context/HTTPS).
- Cookies from the same domain are no longer considered to be from the same site if sent using a different scheme (
This article documents the new standard. See Browser Compatibility below for information about specific versions where the behavior changed.