Long story short: It’s not safe to create web cookies with SameSite=None and I did an experiment where I tested the SameSite flag by creating cookies in about 770 000 web requests from real visitors. Incompatible browsers: https://www.chromium.org/updates/same-site/incompatible-clients
In the following days this page will be updated with more statistics.
- ~ 25 000 – Unique results
- ~ 770 000 – Payloads
- Top 5 countries:
A link to the 25 000 unique results: https://docs.google.com/spreadsheets/d/1NzDInarIRNgZ5etXeihxgyd5x1cGfVG9jjDPdl2YPu0/edit?usp=sharing
Data analyzes based on the ~ 25 000 unique results:
- 78.42% – Success with SameSite=None; Secure .
- 4.57% – Failed to create a cookie with
SameSite=None; Securebut successfully created with the Secure flag.
Notes on the experiment:
With the latest browsers’ releases we started feeling and hearing more about the SameSite cookie attribute: https://web.dev/samesite-cookies-explained/
This attribute has 3 possible values: Lax, Strict and None. It seems that Lax and Strict work “flawlessly” but there are some issues with None. The reason is that None was introduced after the Lax and Strict options were implemented and but some browsers were not prepared for this.
Here is what happens on incompatible browsers when we have SameSite=None:
- A cookie is dropped/not created. (that’s kind of scary)
- A cookie is created as SameSite=Strict.
More details about incompatible browsers: https://www.chromium.org/updates/same-site/incompatible-clients
In a third-party Iframe we: