In 2016 [[Google Chrome]] version 51 introduced<ref>{{Cite web|url=https://www.chromestatus.com/feature/4672634709082112|title='SameSite' cookie attribute, Chrome Platform tatus|website=Chromestatus.com|access-date=2016-04-23|archive-url=https://web.archive.org/web/20160509064447/https://www.chromestatus.com/feature/4672634709082112|archive-date=2016-05-09|url-status=live}}</ref> a new kind of cookie,thewith ''same-siteattribue cookie'',<code>SameSite</code>. whichAttribute <code>SameSite</code> can onlyhave bea sentvalue inof requests<code>Strict</code>, ''originating''<code>Lax</code> fromor the<code>None</code> same origin as the target ___domain. This restriction mitigates attacks such as [[cross-site request forgery]] (XSRF).<ref>{{Cite web|url=https://tools.ietf.org/html/draft-westietf-firsthttpbis-partycookie-cookiessame-07site-00|title=Same-siteSite Cookies draft-ietf-httpbis-cookie-same-site-00|last=Goodwin|first=Mark|last2=West|first2first=MikeM.|website=tools.ietf.org|access-date=2016-0407-2328|archive-url=https://web.archive.org/web/2016050709552720160816182604/https://tools.ietf.org/html/draft-westietf-firsthttpbis-partycookie-cookiessame-07site-00|archive-date=2016-0508-0716|url-status=live}}</ref>. AWith cookie is given this characteristic by setting theattribute <code>SameSite=Strict</code>, flagthe tobrowsers <code>Strict</code>should oronly <code>Lax<send these cookies with requests originated from the same ___domain/code>site as the target ___domain. This would effectively mitigate [[cross-site request forgery]] (XSRF) attacks <ref>{{Cite web|url=https://toolswww.ietfnetsparker.orgcom/htmlblog/draftweb-ietfsecurity/same-httpbissite-cookie-sameattribute-prevent-cross-site-00|title=Samerequest-Siteforgery/</ref>. Cookies<code>SameSite=Lax</code> would not restrict originating site, but enforce target ___domain to be the same as draft-ietf-httpbis-cookie ___domain, effectively blocking third-sameparty (cross-site-00|last=Goodwin|last2=West|first=M) cookies.|website Attribute <code>SameSite=tools.ietf.org|accessNone</code> would allow third-date=2016party (cross-07site) cookies. The Same-28|archive-url=https://web.archive.org/web/20160816182604/site cookie is incorporated into [https://tools.ietf.org/html/draft-ietf-httpbis-cookierfc6265bis-same-site-00|archive-date=2016-08-16|url-status=live}}</ref>05 a new draft of "Cookies: HTTP State Management Mechanism"] to update RFC6265 (if approved).
Chrome, Firefox, Microsoft Edge all started to support Same-site cookies<ref>https://www.lambdatest.com/SameSite-cookie-attribute</ref>. The key of rollout is the treatment of existing cookies without SameSite attribute defined, Chrome has been treating those existing cookies as if SameSite=None, this would keep all website/applications run as before. Google intended to change that default to SameSite=Lax in February 2020<ref>https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html</ref>, the change would break those applications/websites if they reply on third-party/cross-site cookies, but without SameSite attribute defined. Given the extensive changes for web developers and COVID-19 circumstances, Google temporarily rolled back the SameSite cookie change <ref>https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html</ref>.
