Deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected. This feature is available as of Chrome 76 by enabling the cookies-without-same-site-must-be-secure flag. This feature will be rolled out gradually to Stable users starting July 14, 2020. See for full timeline and more details.


Cookies delivered over plaintext channels may be cataloged or modified by network attackers. Requiring secure transport for cookies intended for cross-site usage reduces this risk, and encourages entities that produce embeddable content to migrate to HTTPS. The use of non-Secure cookies facilitates pervasive monitoring, a widespread attack on users’ privacy. This change will mitigate the risks presented by pervasive monitoring by curtailing the use of non-Secure third-party cookies. Third-party cookies are widely used for tracking and may contain sensitive data that pertains to user identity. Cookies with SameSite=None are specifically marked for use in third-party contexts. By requiring SameSite=None cookies to be Secure, users are protected by default from attacks on their identifying data that may compromise their privacy. In addition, non-secure embeds are a risk to users’ privacy and security. The use of non-secure embeds degrades users’ security and user experience on first-party sites by hampering first-party upgrades to secure transport because of limitations imposed on mixed content. The use of HTTPS protects users and sites, and the presence of mixed embedded content downgrades its security benefits. Requiring Secure for SameSite=None cookies will increase the security of the web by encouraging embeddable content producers to migrate to HTTPS.



Specification link

Specification currently under development in a Working Group

Status in Chromium


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No signal
  • No signals


Search tags

Cookies, SameSite, Secure,

Last updated on 2021-12-13