Hmm. Not sure about this. Need to revisit my understanding.
In a nutshell
SameSite is an attribute of the
Set-Cookie HTTP response header that lets you specify whether an outgoing cookie should be restricted to a first-party request. You use
SameSite on the server-side like this:
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=<same-site-value>
Lax (default in most browsers)
Cookies are sent only for first-party requests or cross-site requests where the user navigates to the origin site (e.g., via a link).
For example, a Lax cookie will be sent if a user is on
website1.com and clicks on a link to go to
website2.com. The navigation from
website2.com is a cross-site request but it’s a top-level navigation so the Lax cookie from
website2.com cookie will still be sent to the client.
website1.com loaded an iframe pointing to
website2.com, then this is a cross-site request that’s not a top-level navigation, so a Lax cookie from
website2.com won’t be sent to
If you wanted a cookie from
website2.com to be sent even if
website2.com was loaded in an iframe, you’d have to set the
SameSite value to
Lax recently replaced
None as the default value for
SameSite if the
SameSite attribute is not explicitly specified.
Cookies are sent only to first-party requests, not to third-party requests.
Cookies are sent to both first-party and third-party requests. If
SameSite=None is set, the cookie
Secure attribute must also be set to prevent the cookie from being blocked.