Skip to main content

First-Party Sets and SameSite Cookies

Document Type Expired Internet-Draft (individual)
Author Mike West
Last updated 2019-11-18 (Latest revision 2019-05-10)
Stream (None)
Intended RFC status (None)
Expired & archived
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document proposes the addition of two new values to the "SameSite" cookie attribute defined in RFC6265bis [I-D.ietf-httpbis-rfc6265bis]: "FirstPartyLax" and "FirstPartyStrict". These values are conceptually similar to the existing "Lax" and "Strict" values, but base the delivery checks on the First-Party Sets [first-party-set] of a request's initiator and target, rather than on their respective registrable domains. This widens the scope of a given cookie's applicability, enabling entities that have sharded themselves across multiple registrable domains to maintain HTTP state without exposing themselves to the risks of "SameSite=None".


Mike West

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)