SameSite Cookie Attribute Reference

SameSite=None/Lax/Strict behavior with cross-origin request type matrix.

Reference for the SameSite cookie attribute values None, Lax and Strict, the Secure requirement for None, and whether a cookie is sent for each cross-site request type. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the default SameSite value?

Modern browsers treat a cookie with no SameSite attribute as Lax by default. Lax sends the cookie on same-site requests and on top-level cross-site navigations (like clicking a link) but not on cross-site subresource loads or background fetches.

The SameSite cookie attribute controls whether a cookie accompanies requests that originate from a different site, which is the core defence against cross-site request forgery (CSRF) and a key lever in third-party cookie deprecation. This reference covers the three values and shows, per request type, whether the cookie is sent.

How it works

The browser classifies each request as same-site or cross-site relative to the cookie’s domain, then applies the attribute:

Set-Cookie: session=abc; SameSite=Lax; Secure; HttpOnly
Set-Cookie: widget=xyz; SameSite=None; Secure

Strict sends the cookie only on same-site requests. Lax (the default) adds one exception — top-level cross-site navigations using a safe method, such as clicking a link. None sends the cookie on all cross-site requests but is rejected unless paired with Secure. Even None; Secure cookies are now frequently blocked as part of third-party cookie phase-out.

The sending matrix

Request typeStrictLax (default)None + Secure
Same-site (any method)SentSentSent
Cross-site top-level GET navigation (link click)Not sentSentSent
Cross-site top-level POST (form submission)Not sentNot sentSent
Cross-site iframe loadNot sentNot sentSent
Cross-site subresource (img, script, CSS)Not sentNot sentSent
Cross-site background fetch / XHRNot sentNot sentSent

Understanding this matrix is the core of using SameSite correctly. The most important row is “cross-site top-level GET navigation” — Lax allows the cookie here (so users arriving from a link stay logged in), while Strict does not (so they appear logged out until they complete a same-site navigation).

Practical decision guide

Use Strict for session cookies on high-sensitivity applications — admin consoles, banking, healthcare portals — where an authenticated GET request triggered from another page would be dangerous even without a method change.

Use Lax (or leave it unset) for standard authenticated web applications. Most session cookies should be here. Users arriving via link stay logged in; cross-site POST forms (CSRF vectors) do not carry the cookie.

Use None; Secure when a cookie genuinely needs to work across sites — embedded widgets, OAuth callbacks that traverse origins, third-party analytics. Be aware that this mode is increasingly blocked by browsers as part of third-party cookie phase-out, and plan for alternatives.

Chrome’s multi-year effort to remove third-party cookie support, combined with existing blocking in Safari and Firefox, means SameSite=None; Secure cookies are increasingly unavailable for many use cases. Alternatives depending on your scenario:

  • CHIPS (Partitioned attribute): The cookie is scoped to the top-level site — so an embedded widget.example.com cookie is partitioned separately for each site that embeds it. Supported in Chrome; use Partitioned alongside SameSite=None; Secure.
  • Storage Access API: Lets embedded frames request user-granted access to unpartitioned cookies via a browser permission prompt.
  • FedCM (Federated Credential Management): For federated identity flows replacing cookie-based cross-site SSO.
  • Server-side approaches: For analytics and attribution, first-party server-side event collection avoids the third-party cookie issue entirely.

Tips and notes

  • Default to Lax; reserve Strict for the most sensitive session cookies.
  • SameSite=None without Secure is rejected — always pair them.
  • For embedded cross-site cookies, consider CHIPS (Partitioned) or the Storage Access API.
  • Lax still permits the cookie on top-level GET navigations, so it is not full CSRF immunity — also use CSRF tokens.
  • A subresource (image, script, fetch) to your own site from a third-party page is cross-site and follows these rules.