Will a cookie whose samesite=none and secure=true not set from Chrome 80?

Question

I know the behavior about cookie is changed from chrome 80.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

This blog says, "When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections." Is this meaning that the cookie whose SameSite=None and Secure=False will be rejected by Chrome? Can't we set such a cookie?

I couldn't read that way.

However, in the test way which is written in this blog also indicates, the description says "it will be rejected".

Cookies without SameSite must be secure

If enabled, cookies without SameSite restrictions must also be Secure. If a cookie without SameSite restrictions is set without the Secure attribute, it will be rejected. This flag only has an effect if "SameSite by default cookies" is also enabled. – Mac, Windows, Linux, Chrome OS, Android

Is this correct behavior?

Answer 1

Correct. If you are setting SameSite=None it must always be Secure. If you do not set Secure, the cookie will be rejected.

Chrome makes two flags available for early testing:

• chrome://flags/#same-site-by-default-cookies - this flag will treat cookies without a SameSite attribute as if they had SameSite=Lax.
• chrome://flags/#cookies-without-same-site-must-be-secure - this flag will cause cookies with SameSite=None but missing Secure to be rejected.

While these are two separate changes from a Chrome implementation point of view, developers should look to address this as one change. Review existing cookies and set the appropriate SameSite and Secure attributes where possible.