SameSite cookies explained None, Lax, Strict
????️♂️Chrome 这波 cookie 安全策略的升级估计会影响很多第三方的 cookie!
cookies explained
Set-Cookie: promo_shown=1; Max-Age=2600000; Secure
Cookie: promo_shown=1
document.cookie;
document.cookie = "promo_shown=1; Max-Age=2600000; Secure";
chrome://flags/#cookies-without-same-site-must-be-secure
about:config
Set-Cookie: <cookie-name>=<cookie-value>
Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>
Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value>
Set-Cookie: <cookie-name>=<cookie-value>; Secure
Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax
// Multiple directives are also possible, for example:
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly
None, Lax, Strict
demo
A cookie associated with a cross-site resource awas set without the SameSite
attribute.
A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
.
You can review cookies in developer tools under Application>Storage>Cookies and see more details at Cookies default to SameSite=Lax
Reject insecure SameSite=None cookies