What is a SameSite HTTP cookie?
SameSite (also known as first-party-only HTTP cookies) were introduced to counter Cross-SIte Request Forgery (CSRF) and other web attacks based on the automatic behavior of web browsers sending HTTP cookies to domains they are intended for, regardless of where the request is originating from.
SameSite flag to the
Set-Cookie header will mark the cookie as first-party-only in compliant browsers (Chrome 51 and Opera 39). As result, the browser will only send the cookie in requests within the same domain.
For example, WebCookies.org is setting
csrftoken cookie targeted for the
webcookies.org domain. The cookie will be send by your browser when you click on the homepage link above (first-party request) but it will be also sent if you link to our page from a third-party website, or even if you save this page in a HTML file. When the cookie is marked as
SameSite it will be only sent in the first case.
A sample HTTP cookie using the flag might look like this:
Set-Cookie: name=value; SameSite
SameSite flag is defined in an Internet Draft draft-west-first-party-cookies.