First-Party Sets and SameSite Cookies

Document Type Expired Internet-Draft (individual)
Author Mike West 
Last updated 2019-11-18 (latest revision 2019-05-10)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document proposes the addition of two new values to the "SameSite" cookie attribute defined in RFC6265bis [I-D.ietf-httpbis-rfc6265bis]: "FirstPartyLax" and "FirstPartyStrict". These values are conceptually similar to the existing "Lax" and "Strict" values, but base the delivery checks on the First-Party Sets [first-party-set] of a request's initiator and target, rather than on their respective registrable domains. This widens the scope of a given cookie's applicability, enabling entities that have sharded themselves across multiple registrable domains to maintain HTTP state without exposing themselves to the risks of "SameSite=None".


Mike West (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)