sajad torkamani

Hmm. Not sure about this. Need to revisit my understanding.

In a nutshell

SameSite is an attribute of the Set-Cookie HTTP response header that lets you specify whether an outgoing cookie should be restricted to a first-party request. You use SameSite on the server-side like this:

Set-Cookie: <cookie-name>=<cookie-value>; SameSite=<same-site-value>

Values of SameSite

Lax (default in most browsers)

Cookies are sent only for first-party requests or cross-site requests where the user navigates to the origin site (e.g., via a link).

For example, a Lax cookie will be sent if a user is on and clicks on a link to go to The navigation from to is a cross-site request but it’s a top-level navigation so the Lax cookie from cookie will still be sent to the client.

If loaded an iframe pointing to, then this is a cross-site request that’s not a top-level navigation, so a Lax cookie from won’t be sent to

If you wanted a cookie from to be sent even if was loaded in an iframe, you’d have to set the SameSite value to None.

Lax recently replaced None as the default value for SameSite if the SameSite attribute is not explicitly specified.


Cookies are sent only to first-party requests, not to third-party requests.


Cookies are sent to both first-party and third-party requests. If SameSite=None is set, the cookie Secure attribute must also be set to prevent the cookie from being blocked.


Tagged: HTTP