samesite-examples

by GoogleChromeLabs

GoogleChromeLabs / samesite-examples

Examples of using the SameSite cookie attribute in a variety of language, libraries, and frameworks.

263 Stars 50 Forks Last release: Not found Apache License 2.0 33 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

πŸͺ
SameSite
examples

This is a companion repo for the "

SameSite
cookies explained" article on web.dev. This is your starting point for how cookies work, the functionality of the

SameSite
attribute, and the changes in Chrome to apply a
SameSite=Lax
policy by default while requiring the use of
SameSite=None; Secure
for cookies in a third-party context.

This functionality is available now in Chrome 76 behind the associated flags to let you test the effect on your site. This is intended to become default behaviour as of Chrome 80.

SameSite=Lax
by default

Turn this flag on to have Chrome apply the equivalent of

SameSite=Lax
to cookies without a
SameSite
attribute specified.

Require
Secure
with
SameSite=None

Turn on this flag along with the previous flag to have Chrome enforce the need for any

SameSite=None
cookie to also specify the
Secure
attribute.

See affected cookies

  • Flag
    chrome://flags/#cookie-deprecation-messages

This will add console warning messages for every single cookie potentially affected by this change.

⚠️ WARNING: You will see a lot of messages! Seriously, a lot of messages.

Since the vast majority of cookies do not have any

SameSite
attribute set that means they are all sent in a cross-site context, regardless of whether or not the intent is to use them.

As you add the correct

SameSite
and
Secure
values to your cookies, you will be able to use the console warnings to test for any you have missed. Try this without the previous flags enabled.

πŸ“‹ Examples

In this repo you'll find examples on making use of

SameSite=None; Secure
in a variety of languages, libraries, and frameworks. The
SameSite
attribute is widely supported, but the addition of the explicit
None
value may require updates or work-arounds.

🚧 NOTE: To test the

None
value is set you need to test in a browser that parses this addition, e.g. Chrome 76 or above. The changes should be backwards compatible, but those browsers should ignore the
None
value so you will not see it in any cookie view.

If your specific platform isn't covered here, please raise an issue or a pull request to include it.

πŸ™‹ Questions

You can raise an issue in this repo if there is specific behaviour you would like to see documented or something that's not clear in the current examples.

You can also use the

samesite
tag on StackOverflow which we will monitor on a regular basis. As the discussion evolves there, we'll also add a Frequently Asked Questions section to this repo for easy reference.

πŸ’» Contributing

Issues and pull requests are always welcome. For details, see CONTRIBUTING

This is not an officially supported Google product.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.