The SameSite attribute determines whether a cookie gets sent during cross-site requests. There are four possible values:
Strict | Cookies are only sent in a first-party context or navigating directly to a site. |
Lax | Cookies are sent in some cross-site contexts, but not with embedded content. |
None | Cookies are sent in all contexts, including cross-origin requests |
(not set) | If the SameSite attribute is not specified, the behavior is browser dependent. |
How a browser determines a cross-site request will vary depending on the context of the request and the browser vendor. To learn more, follow some interactive examples below or try the SameSite playground.
If you're visiting this page for the first time, you've already collected cookies with different SameSite attributes in your browser session.
Try the following to remove all cookies and retrieve them again from the server:
On the first GET request, cookies are sent in the response from the server to the browser. On the second GET request, cookies with a ✅ next to them were sent and have been received by server.
Browser Behavior |
|
---|---|
|
SameSite values of Strict and Lax are not sent in the IFrame because it is a cross site context |
|
No cookies are sent in the cross-site context inside the IFrame |
When SameSite is not set on cookies, Chrome default the cookie to SameSite=Lax. For more info see the Chromium SameSite FAQ.
When navigating to this site from a different site (e.g., clicking a link), the browser will receive cookies with SameSite=Strict, but they won't be sent to the server on the first page load.
Try the following to remove all cookies and retrieve them again from the server, by accessing this site from a different site:
Browser Behavior |
|
---|---|
|
When returning to this site by clicking on a link, the cookie with the SameSite=Strict will not be sent. |
Even if you hit refresh on the bowser, it won't send cookie with the SameSite=Strict. Chrome and Safari however will send it with a
Just like when navigating to a site from a different site, cookies with the SameSite=Strict will not be sent on a 302 redirect.
Browser Behavior |
|
---|---|
|
Only Lax and None cookies are sent after being redirected to this site from a different site. |
|
All cookies are sent after a 302 redirect from a different site. |
A 302 redirect from a different site is treated differently by Chrome than a coming via a link.
Cookies are sent with a secure attribute, that can be set to true or false. If secure is set to true then cookies can only be sent over secure (HTTPS) connections. If SameSite=None, then it is important to set secure=true, but not all browsers enforce this restriction.
Browser Behavior |
|
---|---|
|
It's likely that all cookies are received with secure=false. |
|
Cookies with SameSite=None cannot be received unless secure=true is set on the cookie. |
Eventually, none of browsers will support sending a SameSite cookie with secure set to false. Chrome has already made this change, see this blog post with more information.
Browser Behavior |
|
---|---|
|
Just like navigating to page from a different site, when visiting a page from a QR code the cookie with the SameSite=Strict will not be sent. |
If you scan a QR code, it is just like navigating to a page from a different site.
I hope you enjoyed walking through these SameSite secnarios. If you are aware of other interesting SameSite behavior, please let me know!
Site built with ♡ using Go, AlpineJS, Tailwind CSS, and OpenMoji. For corrections or feedback please feel free to drop me an email 📧 or create an issue.