Modifies the definition of same-site for cookies such that requests on the same registrable domain but across schemes are considered cross-site instead of same-site. E.g., http:// site.example and https:// site.example (note: a space was added between the scheme and the domain to prevent automatic link conversion) will now be considered cross-site to each other. Releasing to Stable, as part of a gradual rollout, starting in M88.
The SameSite cookie attribute offers defense against CSRF attacks but currently does not consider secure and insecure version of the same domain as being cross-site; because of this, a network attacker could impersonate http:// site.example (or a subdomain) and use that to bypass SameSite protections on https:// site.example. Changing the same-site computation to consider http:// site.example and https:// site.example as cross-site negates this type of attack. This change would align the cookie definition of same-site, and Chrome’s future implementation, with the changes to the WHATWG definition as seen in the explainer.
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 89
- Chrome for Android release 89
Consensus & Standardization
Intent to Prototype urlIntent to Prototype thread
Search tagsSameSite, Same-site, same site, scheme, schemeful,
Last updated on 2021-04-08