Long story short: It’s not safe to create web cookies with SameSite=None and I did an experiment where I tested the SameSite flag by creating cookies in about 770 000 web requests from real visitors. Incompatible browsers: https://www.chromium.org/updates/same-site/incompatible-clients
In the following days this page will be updated with more statistics.
Experiment results:
Data collection:
- ~ 25 000 – Unique results
- ~ 770 000 – Payloads
- Top 5 countries:
- US
- UK
- Canada
- Australia
- Netherlands
A link to the 25 000 unique results: https://docs.google.com/spreadsheets/d/1NzDInarIRNgZ5etXeihxgyd5x1cGfVG9jjDPdl2YPu0/edit?usp=sharing
Data analyzes based on the ~ 25 000 unique results:
- 78.42% – Success with SameSite=None; Secure .
- 4.57% – Failed to create a cookie with
SameSite=None; Securebut successfully created with the Secure flag. - ~ 17% – Couldn’t be read by JavaScript neither with SameSite=None; Secure nor Secure flag.

Notes on the experiment:
With the latest browsers’ releases we started feeling and hearing more about the SameSite cookie attribute: https://web.dev/samesite-cookies-explained/
This attribute has 3 possible values: Lax, Strict and None. It seems that Lax and Strict work “flawlessly” but there are some issues with None. The reason is that None was introduced after the Lax and Strict options were implemented and but some browsers were not prepared for this.
Here is what happens on incompatible browsers when we have SameSite=None:
- A cookie is dropped/not created. (that’s kind of scary)
- A cookie is created as SameSite=Strict.
More details about incompatible browsers: https://www.chromium.org/updates/same-site/incompatible-clients
The metod:
In a third-party Iframe we:
- created cookies in different combinations of the SameSite attribute and the Secure flag with JavaScript and Response Headers
- created cookies skipping the SameSite attribute and the Secure flag with JavaScript and Response Headers
- created cookies with different lifetime with JavaScript and Response Headers
- deleting some cookies with JavaScript
Once the cookies are created we read them via JavaScript and send the cookies on a GET/query param and Request Headers.
The setup:
