SameSite (also known as first-party-only HTTP cookies) were introduced to counter Cross-SIte Request Forgery (CSRF) and other web attacks based on the automatic behavior of web browsers sending HTTP cookies to domains they are intended for, regardless of where the request is originating from.

Adding the SameSite flag to the Set-Cookie header will mark the cookie as first-party-only in compliant browsers (Chrome 51 and Opera 39). As result, the browser will only send the cookie in requests within the same domain.

For example, WebCookies.org is setting csrftoken cookie targeted for the webcookies.org domain. The cookie will be send by your browser when you click on the homepage link above (first-party request) but it will be also sent if you link to our page from a third-party website, or even if you save this page in a HTML file. When the cookie is marked as SameSite it will be only sent in the first case.

A sample HTTP cookie using the flag might look like this:

Set-Cookie: name=value; SameSite

The SameSite flag is defined in an Internet Draft draft-west-first-party-cookies.

Fully automated RESTful API is now available. Subscribe for your free trial today!