Web HTTP - SameSite Cookie property (First-Party-Only)


samesite is a property of a cookie that controls if cookies should be sent along in a cross-site HTTP request ie:

SameSite cookie are:

They allow servers to mitigate the risk of cross-site request forgery attacks (CSRF) and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.


  • Consider the scenario in which a user reads their email at MegaCorp Inc's webmail provider “https://mail.example.com/”.
  • They might expect that clicking on an emailed link to “https://projects.com/secret/project” would show them the secret project that they're authorized to see.
  • But if projects.com has marked their session cookies as strict, then this cross-site navigation won't send them along with the request and projects.com will render a 404 error to avoid leaking secret information.
  • The user will be quite confused.

Developers can avoid this confusion by adopting a session management system that relies on not one, but two cookies:

Number Cookie Authorization SameSite Description
1 read Lax (or empty) Allow users access to data via top-level navigation
2 write Strict Disallow write operation via top-level navigation

The absence of the second cookie would provide a reauthentication step before executing any non-idempotent action.



Top-level site

The “top-level site” is the registered domain in the address bar of the browser.

Same-site vs Cross-site

A request is:


  • login.example.com and blog.example.com will trigger same-site request because they share the same apex domain.


SameSite values:

  • Lax (Default in browser): Cookies:
    • are allowed to be sent with top-level navigations (when this is the first navigation)
    • will be sent along with GET request initiated by third party website.
  • Strict: cookies
    • are only be sent in a first-party context (same-site)
    • will not be sent along with requests initiated by third party websites.
  • None: Cookies will be sent in all contexts, i.e sending cross-origin is allowed.

Documentation / Reference

Powered by ComboStrap