hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 03, 2020

This Microsoft page has a simpler explanation for the SameSite attribute values than the RFC:

 

https://docs.microsoft.com/en-us/microsoftteams/platform/resources/samesite-cookie-update

 

Lax Cookies will be sent automatically only in a first-party context and with HTTP GET requests. SameSite cookies will be withheld on cross-site sub-requests, such as calls to load images or iframes, but will be sent when a user navigates to the URL from an external site, e.g., by following a link.

 

Strict The browser will only send cookies for first-party context requests (requests originating from the site that set the cookie). If the request originated from a different URL than that of the current location, none of the cookies tagged with the Strict attribute will be sent.

 

None Cookies will be sent in both first-party context and cross-origin requests; however, the value must be explicitly set to None and all browser requests must follow the HTTPS protocol and include the Secure attribute which requires an encrypted connection. Cookies that don't adhere to that requirement will be rejected. Both attributes are required together. If just None is specified without Secure or if the HTTPS protocol is not used, the third-party cookie will be rejected.