While Google has made strides to remove cookies, there was a recent addition to the Chromium product upon which Chrome, Safari, and Edge are based.
I saw this written up as the following:
The SameParty attribute takes no value, and requires that the cookie also specify the “Secure” attribute, and not specify “SameSite=Strict”. If either of these constraints is violated, the cookie will be considered invalid, and will not be set. “SameSite=Strict” is not supported because “SameSite=Strict” is intended as a security boundary, rather than a privacy boundary (which First-Party Sets aims to establish). Valid use-cases of “SameSite=Strict” in cross-site contexts should not be loosened even when the sites are same-party.
Better stated…
- The SameParty attribute is specified without a value (as are
Secure
andHttpOnly
) as;SameParty;
- The Secure attribute is required in order to use the SameParty attribute. Any cookie specifying SameParty without Secure will be rejected as invalid.
- Additionally, any cookie specifying SameParty in the presence of SameSite=Strict will be rejected as invalid.
While I’ve seen this implemented in versions of Chrome 89+, it is not yet adopted in Firefox (and may never be).
References: