'SameSite' cookie attribute

Category: Security
Type: New or changed feature
Status: Enabled by default (Chrome 51)
Intent stage: None

Summary

Same-site cookies (née "First-Party-Only" (née "First-Party")) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Standards & signals

Specification: https://tools.ietf.org/html/draft-west-first-party-cookies
Firefox: Shipped/Shipping
Safari: No signal
Web developers: Positive
Tracking bug: https://crbug.com/459154

View on chromestatus.com