Re: SameSite=Strict cookies for a user entered URL

-security-dev, public-webappsec to BCC., which is the group you'll probably want to poke at
about cookies.

On Mon, Jun 13, 2016 at 6:35 PM, Craig Francis <>

> Hi,
> I was wondering about the security vs usability in how SameSite=Strict
> cookies work.
> At the moment (in Chrome 51 - 53 at least), if you're on a website, and
> copy/paste a URL for the current website in to the current tabs address
> bar, the SameSite=Strict cookies are sent in that request.
> But if you open a new tab, paste the URL, the requested page does not
> include the SameSite=Strict cookies.

This is a bug in Chrome's implementation that I'm poking at. Step 1 of
handles this case, though it's a bit opaque since it requires you to know
that a new, user-navigated tab doesn't have a 'client'. I've filed to add a note to the
spec to clarify things.

Thanks for the report, and sorry for the delayed response.


Received on Monday, 20 June 2016 14:43:29 UTC