'SameSite' cookie attribute
- OTHERSame-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
Chrome
- 4 - 50: Not supported
- 51 - 79: Supported
- 80 - 123: Supported
- 124: Supported
- 125 - 127: Supported
Edge
- 12 - 15: Not supported
- 16 - 17: Supported
- 18 - 85: Supported
- 86 - 123: Supported
- 124: Supported
Safari
- 3.1 - 11.1: Not supported
- 12 - 13.1: Partial support
- 14 - 14.1: Partial support
- 15 - 17.3: Supported
- 17.4: Supported
- 17.5 - TP: Supported
Firefox
- 2 - 59: Not supported
- 60 - 124: Supported
- 125: Supported
- 126 - 128: Supported
Opera
- 9 - 38: Not supported
- 39 - 70: Supported
- 71 - 108: Supported
- 109: Supported
IE
- 5.5 - 10: Not supported
- 11: Partial support
Chrome for Android
- 124: Supported
Safari on iOS
- 3.2 - 11.4: Not supported
- 12 - 12.5: Partial support
- 13 - 17.3: Supported
- 17.4: Supported
- 17.5: Supported
Samsung Internet
- 4: Not supported
- 5 - 23: Supported
- 24: Supported
Opera Mini
- all: Not supported
Opera Mobile
- 10 - 12.1: Not supported
- 80: Supported
UC Browser for Android
- 15.5: Not supported
Android Browser
- 2.1 - 4.4.4: Not supported
- 124: Supported
Firefox for Android
- 125: Supported
QQ Browser
- 14.9: Support unknown
Baidu Browser
- 13.52: Supported
KaiOS Browser
- 2.5: Not supported
- 3: Supported
This feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients.
- Resources:
- MS Edge dev blog: "Previewing support for same-site cookies in Microsoft Edge"
- Mozilla Bug #1286861, includes the patches that landed SameSite support in Firefox
- Mozilla Bug #1551798: Prototype SameSite=Lax by default
- Mozilla Bug #795346: Add SameSite support for cookies
- Microsoft Edge Browser Status
- Same-site cookies demonstration by Rowan Merewood
- Preventing CSRF with the same-site cookie attribute