This is a tracking task for grouping issues related to the SameSite cookie flag.
SameSite=Strict prevents access to the cookie unless the request originates from the same domain. SameSite=Lax is similar but exempts top-level GET requests (such as loading a new page by clicking on a link). SameSite=None is the traditional behavior (no restrictions) which used to be the default, but modern browsers are increasingly defaulting to SameSite=Lax, and also starting to ignore SameSite=None when the cookie is not set with the Secure flag (and over HTTPS). Some older browsers OTOH interpret any value as Strict. (details, details)
"Same domain" also means same scheme; this might impact mixed-protocol non-Wikimedia sites and leftover HTTP links on Wikimedia sites.
- Chrome (and Edge/Opera): Cookies default to SameSite=Lax; Reject insecure SameSite=None cookies; Schemeful same-site - all fully rolled out.
- Firefox: Same behavior as Chrome (see v96 release notes)
Both Firefox and Chrome do (did?) default to None for top-level requests when the cookie is less than two-minutes old. (source).
Spec:
- Same-site Cookies
- Incrementally Better Cookies (original spec, latest)
Testing:
- current browser behavior: https://samesite-sandbox.glitch.me/ - with the new SameSite behavior, it should be all green.
- Chrome: override with same-site-by-default-cookies and cookies-without-same-site-must-be-secure
- Firefox: override with network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure