'SameSite' cookie attribute

- OTHER

Same-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

IE

  1. 5.5 - 10
  2. 11

Edge

  1. 12 - 15
  2. 16 - 17
  3. 18 - 81
  4. 83

Firefox

  1. 2 - 59
  2. 60 - 75
  3. 76
  4. 77 - 78

Chrome

  1. 4 - 50
  2. 51 - 79
  3. 80 - 81
  4. 83
  5. 84 - 86

Safari

  1. 3.1 - 11.1
  2. 12 - 13
  3. 13.1
  4. TP

Opera

  1. 9 - 38
  2. 39 - 67
  3. 68

iOS Safari

  1. 3.2 - 11.4
  2. 12 - 12.4
  3. 13 - 13.3
  4. 13.4

Opera Mini

  1. all

Android Browser

  1. 2.1 - 4.4.4
  2. 81

Blackberry Browser

  1. 7
  2. 10

Opera Mobile

  1. 10 - 12.1
  2. 46

Chrome for Android

  1. 81

Firefox for Android

  1. 68

IE Mobile

  1. 10
  2. 11

UC Browser for Android

  1. 12.12

Samsung Internet

  1. 4
  2. 5 - 10.1
  3. 11.1

QQ Browser

  1. 10.4

Baidu Browser

  1. 7.12

KaiOS Browser

  1. 2.5

This feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients.

Resources:
Preventing CSRF with the same-site cookie attribute
MS Edge dev blog: "Previewing support for same-site cookies in Microsoft Edge"
Mozilla Bug #1286861, includes the patches that landed SameSite support in Firefox
Mozilla Bug #1551798: Prototype SameSite=Lax by default
Mozilla Bug #795346: Add SameSite support for cookies
Microsoft Edge Browser Status
Same-site cookies demonstration by Rowan Merewood
Microsoft Edge feature request on UserVoice