Reputation: 25935
Chrome 80 allows insecure SameSite=None cookies
I recently upgraded to Chrome 80 and enabled the new SameSite policy for cookies in chrome://flags. While developing locally, my server framework is set up to emit the authentication cookies with the SameSite=None attribute. For the time being I don't have SSL enabled.
Now I'm wondering, how come Chrome allows these, as, if I've understood the policy correctly, all SameSite=None cookies must be secure, regardless of environment?
Upvotes: 2
Views: 1373
Answers (1)
Reputation: 3050
Yes, you will only be able to set SameSite=None with Secure. So, I think if you do not have SSL in your dev environment, you should not set either of these attributes.
The new behaviour comes from both:
chrome://flags/#same-site-by-default-cookies- and
chrome://flags/#cookies-without-same-site-must-be-secure
You can check if your browser is enforcing the complete behaviour on https://samesite-sandbox.glitch.me
Upvotes: 2
Related Questions
- Cookies with SameSite=None; Secure=true are not sent in all contexts. Chrome 91
- SameSite=none and insecure http cookies fail to work on Chrome
- Flag to disable 'Cookies without SameSite must be secure' when launching chrome
- SameSite=None not working on Chrome incognito?
- js-cookie with sameSite None & secure
- Chrome filter out SameSite:None secure cookie
- Will a cookie whose samesite=none and secure=true not set from Chrome 80?
- Turn off samesite enforcement in chrome version > 80
- Chrome 80+ A cookie associated with a cross-site resource was set without the `SameSite` attribute. It has been blocked
- Setting SameSite=none, secure in Chrome Extension