Cross-site cookies are not sent if a request to an application is sent from the context of another website, but are sent if the user clicks a link. In recent browser versions, Lax is the default cookie value if the SameSite attribute is not explicitly specified.

If the SameSite attribute for a cookie is not specified, for example,

Set-Cookie: flavor=choco

You receive the following warning:

Cookie "myCookie" has "SameSite" policy set to "Lax" because it is missing a "SameSite" attribute, and "SameSite=Lax" is the default value for this attribute.

To fix this issue, you must explicitly communicate the intended SameSite attribute for your cookie instead of relying on browsers to apply

SameSite=Lax

automatically. This also improves the experience across browsers as not all of them are defaulted to

Lax

.

For example:

Set-Cookie: flavor=choco; SameSite=Lax

Cookies are only sent in a first-party context, not in response to third-party requests. This means that the strict mode ensures that cookies are not used in the context of other web applications.

Cookies are sent in all contexts, that is, in responses to both first-party and cross-site requests. If the SameSite attribute is set to None, the cookie Secure attribute must also be set. Otherwise, the cookie is blocked.

A cookie that requests

SameSite=None

but is not marked

Secure

is rejected.

For example, if you use:

Set-Cookie: flavor=choco; SameSite=None

You receive the following warning:

Cookie "myCookie" rejected because it has the
"SameSite=None" attribute but is missing the "secure"
attribute. 
This Set-Cookie was blocked because it had the
"SameSite=None" attribute but did not have the "Secure" attribute,
which is required to use "SameSite=None".

To fix this issue, you must add the

Secure

attribute to your

SameSite=None

cookies as follows:

Set-Cookie: flavor=choco; SameSite=None; Secure

A

Secure

cookie is only sent to the server with an encrypted HTTPS request.