Skip to main content

Same-Site Cookies

Document Type Replaced Internet-Draft (httpbis WG)
Expired & archived
Authors Mike West , Mark Goodwin
Last updated 2016-12-22 (Latest revision 2016-06-20)
Replaces draft-west-first-party-cookies
Replaced by draft-ietf-httpbis-rfc6265bis
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-httpbis-rfc6265bis
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document updates RFC6265 by defining a "SameSite" attribute which allows servers to assert that a cookie ought not to be sent along with cross-site requests. This assertion allows user agents to mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.


Mike West
Mark Goodwin

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)