Aug 19, 2020 Most of the time, cookies are a good thing, but they can also track you. Take control of a tiny bit of your online privacy by blocking, deleting, and allowing only select cookies. In a browser, an area that displays information such as tracking data left by Web sites you visit so you can remove the data and protect your privacy. Private browsing A browser feature that lets you surf the Web without leaving history, temporary Internet files, or cookies that Web pages store on your computer's hard drive to identify you when.
Chrome Dev Summit 2020 is back & going virtual on December 9-10. Learn more.
SameSite cookies explained
For implementation advice on
SameSite=None
, see part 2:SameSite cookie recipesCookies are one of the methods available for adding persistent state to websites. Over the years their capabilities have grown and evolved, but left theplatform with some problematic legacy issues. To address this, browsers(including Chrome, Firefox, and Edge) are changing their behavior to enforcemore privacy-preserving defaults.
Each cookie is a
key=value
pair along with a number of attributes that controlwhen and where that cookie is used. You've probably already used theseattributes to set things like expiration dates or indicating the cookie shouldonly be sent over HTTPS. Servers set cookies by sending the aptly-namedSet-Cookie
header in their response. For all the detail you can dive intoRFC6265bis,but for now here's a quick refresher.Say you have a blog where you want to display a 'What's new' promo to yourusers. Users can dismiss the promo and then they won't see it again for a while.You can store that preference in a cookie, set it to expire in a month(2,600,000 seconds), and only send it over HTTPS. That header would look likethis:
When your reader views a page that meets those requirements, i.e. they're on asecure connection and the cookie is less than a month old, then their browserwill send this header in its request:
You can also add and read the cookies available to that site in JavaScript using
document.cookie
. Making an assignment to document.cookie
will create oroverride a cookie with that key. For example, you can try the following in yourbrowser's JavaScript console:Reading
document.cookie
will output all the cookies accessible in the currentcontext, with each cookie separated by a semicolon:If you try this on a selection of popular sites you will notice that most ofthem set significantly more than just three cookies. In most cases, thosecookies are sent on every single request to that domain, which has a number ofimplications. Upload bandwidth is often more restricted than download for yourusers, so that overhead on all outbound requests is adding a delay on your timeto first byte. Be conservative in the number and size of cookies you set. Makeuse of the
Max-Age
attribute to help ensure that cookies don't hang aroundlonger than needed.What are first-party and third-party cookies? #
If you go back to that same selection of sites you were looking at before, youprobably noticed that there were cookies present for a variety of domains, notjust the one you were currently visiting. Cookies that match the domain of thecurrent site, i.e. what's displayed in the browser's address bar, are referredto as first-party cookies. Similarly, cookies from domains other than thecurrent site are referred to as third-party cookies. This isn't an absolutelabel but is relative to the user's context; the same cookie can be eitherfirst-party or third-party depending on which site the user is on at the time.
Continuing the example from above, let's say one of your blog posts has apicture of a particularly amazing cat in it and it's hosted at
/blog/img/amazing-cat.png
. Because it's such an amazing image, another personuses it directly on their site. If a visitor has been to your blog and has thepromo_shown
cookie, then when they view amazing-cat.png
on the otherperson's site that cookie will be sent in that request for the image. Thisisn't particularly useful for anyone since promo_shown
isn't used for anythingon this other person's site, it's just adding overhead to the request.If that's an unintended effect, why would you want to do this? It's thismechanism that allows sites to maintain state when they are being used in athird-party context. For example, if you embed a YouTube video on your site thenvisitors will see a 'Watch later' option in the player. If your visitor isalready signed in to YouTube, that session is being made available in theembedded player by a third-party cookie—meaning that 'Watch later' button willjust save the video in one go rather than prompting them to sign in or having tonavigate them away from your page and back over to YouTube.
One of the cultural properties of the web is that it's tended to be open bydefault. This is part of what has made it possible for so many people to createtheir own content and apps there. However, this has also brought a number ofsecurity and privacy concerns. Cross-site request forgery (CSRF) attacks rely onthe fact that cookies are attached to any request to a given origin, no matterwho initiates the request. For example, if you visit
evil.example
then it cantrigger requests to your-blog.example
, and your browser will happily attachthe associated cookies. If your blog isn't careful with how it validates thoserequests then evil.example
could trigger actions like deleting posts or addingtheir own content.Users are also becoming more aware of how cookies can be used to track theiractivity across multiple sites. However until now there hasn't been a way toexplicitly state your intent with the cookie. Your
promo_shown
cookie shouldonly be sent in a first-party context, whereas a session cookie for a widgetmeant to be embedded on other sites is intentionally there for providing thesigned-in state in a third-party context.Explicitly state cookie usage with the SameSite
attribute #
The introduction of the
SameSite
attribute (defined inRFC6265bis)allows you to declare if your cookie should be restricted to a first-party orsame-site context. It's helpful to understand exactly what 'site' means here.The site is the combination of the domain suffix and the part of the domain justbefore it. For example, the www.web.dev
domain is part of the web.dev
site.Key Term:
If the user is on
www.web.dev
and requests an image from static.web.dev
thenthat is a same-site request.The public suffix list defines this, so it's notjust top-level domains like
.com
but also includes services like github.io
.That enables your-project.github.io
and my-project.github.io
to count asseparate sites.Key Term:
If the user is on
your-project.github.io
and requests an image frommy-project.github.io
that's a cross-site request.Introducing the
SameSite
attribute on a cookie provides three different waysto control this behaviour. You can choose to not specify the attribute, or youcan use Strict
or Lax
to limit the cookie to same-site requests.If you set
SameSite
to Strict
, your cookie will only be sent in afirst-party context. In user terms, the cookie will only be sent if the site forthe cookie matches the site currently shown in the browser's URL bar. So, if thepromo_shown
cookie is set as follows:When the user is on your site, then the cookie will be sent with the request asexpected. However when following a link into your site, say from another site orvia an email from a friend, on that initial request the cookie will not be sent.This is good when you have cookies relating to functionality that will alwaysbe behind an initial navigation, such as changing a password or making apurchase, but is too restrictive for
promo_shown
. If your reader follows thelink into the site, they want the cookie sent so their preference can beapplied.That's where
SameSite=Lax
comes in by allowing the cookie to be sent withthese top-level navigations. Let's revisit the cat article example from abovewhere another site is referencing your content. They make use of your photo ofthe cat directly and provide a link through to your original article.And the cookie has been set as so:
When the reader is on the other person's blog the cookie will not be sentwhen the browser requests
amazing-cat.png
. However when the reader follows thelink through to cat.html
on your blog, that request will include thecookie. This makes Lax
a good choice for cookies affecting the display of thesite with Strict
being useful for cookies related to actions your user istaking.Caution:
Neither
Strict
nor Lax
are a complete solution for your site's security.Cookies are sent as part of the user's request and you should treat them thesame as any other user input. That means sanitizing and validating the input.Never use a cookie to store data you consider a server-side secret.Finally there is the option of not specifying the value which has previouslybeen the way of implicitly stating that you want the cookie to be sent in allcontexts. In the latest draft ofRFC6265bis thisis being made explicit by introducing a new value of
SameSite=None
. This meansyou can use None
to clearly communicate that you intentionally want the cookiesent in a third-party context.If you provide a service that other sites consume such as widgets, embeddedcontent, affiliate programs, advertising, or sign-in across multiple sitesthen you should use
None
to ensure your intent is clear.Changes to the default behavior without SameSite #
While the
SameSite
attribute is widely supported, it has unfortunately notbeen widely adopted by developers. The open default of sending cookieseverywhere means all use cases work but leaves the user vulnerable to CSRF andunintentional information leakage. To encourage developers to state their intentand provide users with a safer experience, the IETF proposal,Incrementally Better Cookieslays out two key changes:- Cookies without a
SameSite
attribute will be treated asSameSite=Lax
. - Cookies with
SameSite=None
must also specifySecure
, meaning they requirea secure context.
Chrome implements this default behavior as of version 84.Firefoxhas them available to test as of Firefox 69 and will make them default behaviorsin the future. To test these behaviors in Firefox, open
about:config
and setnetwork.cookie.sameSite.laxByDefault
.Edgealso plans to change its default behaviors.This article will be updated as additional browsers announce support. Tyme 2 1 8 0.
SameSite=Lax
by default #
While this is intended to apply a more secure default, you should ideally set anexplicit
SameSite
attribute rather than relying on the browser to apply thatfor you. This makes your intent for the cookie explicit and improves the chancesof a consistent experience across browsers.Caution:
The default behaviour applied by Chrome is slightly more permissive than anexplicit
SameSite=Lax
as it will allow certain cookies to be sent on top-levelPOST requests. You can see the exact details onthe blink-dev announcement.This is intended as a temporary mitigation, you should still be fixing yourcross-site cookies to use SameSite=None; Secure
.SameSite=None
must be secure #
You can test this behavior as of Chrome 76 by enabling
chrome://flags/#cookies-without-same-site-must-be-secure
and from Firefox 69in about:config
by settingnetwork.cookie.sameSite.noneRequiresSecure
.You will want to apply this when setting new cookies and actively refreshexisting cookies even if they are not approaching their expiry date.
If you rely on any services that provide third-party content on your site, youshould also check with the provider that they are updating their services. Youmay need to update your dependencies or snippets to ensure that your site picksup the new behavior.
Cookie 5 More Privacy Better Browsing 5 2 4 Guide
Both of these changes are backwards-compatible with browsers that have correctlyimplemented the previous version of the
SameSite
attribute, or just do notsupport it at all. By applying these changes to your cookies, you are makingtheir intended use explicit rather than relying on the default behavior of thebrowser. Likewise, any clients that do not recognize SameSite=None
as of yetshould ignore it and carry on as if the attribute was not set.Warning:
A number of older versions of browsers including Chrome, Safari, and UC browserare incompatible with the new
None
attribute and may ignore or restrict thecookie. This behavior is fixed in current versions, but you should check yourtraffic to determine what proportion of your users are affected. You can see thelist of known incompatible clients on the Chromium site.SameSite
cookie recipes #
For further detail on exactly how to update your cookies to successfully handlethese changes to
SameSite=None
and the difference in browser behavior, head tothe follow up article, SameSite cookie recipes.Kind thanks for contributions and feedback from Lily Chen, Malte Ubl, MikeWest, Rob Dodson, Tom Steiner, and Vivek Sekhar
Cookie hero image byPille-Riin PriskeonUnsplash
Last updated: Improve article
Note: This article is for the new Microsoft Edge . Get help for the legacy version of Microsoft Edge .
The new Microsoft Edge helps you browse, search, shop online, and more. Like all modern browsers, Microsoft Edge lets you collect and store specific data on your device, like cookies, and lets you send information to us, like browsing history, to make the experience as rich, fast, and personal as possible.
Whenever we collect data, we want to make sure it’s the right choice for you. Some people worry about their web browsing history being collected. That’s why we tell you what data is stored on your device or collected by us. We give you choices to control what data gets collected. For more information about privacy in Microsoft Edge, we recommend reviewing our Privacy Statement.
Cookie 5 More Privacy Better Browsing 5 2 40
What data is collected or stored, and why
Microsoft uses diagnostic data to improve our products and services. We use this data to better understand how our products are performing and where improvements need to be made.
Microsoft Edge collects a set of required diagnostic data to keep Microsoft Edge secure, up to date and performing as expected. Microsoft believes in and practices information collection minimization. We strive to gather only the info we need, and to store it only for as long as it’s needed to provide a service or for analysis. In addition, you can control whether optional diagnostic data associated with your device is shared with Microsoft to solve product issues and help improve Microsoft products and services.
As you use features and services in Microsoft Edge, diagnostic data about how you use those features is sent to Microsoft. Microsoft Edge saves your browsing history—information about websites you visit—on your device. Depending on your settings, this browsing history is sent to Microsoft, which helps us find and fix problems and improve our products and services for all users. You can manage the collection of optional diagnostic data in the browser by selecting Settings and more > Settings > Privacy, search, and services and turning on or off Help improve Microsoft products by sending optional diagnostic data about how you use the browser, websites you visit, and crash reports. This includes data from testing new experiences. To finish making changes to this setting, restart Microsoft Edge.
Turning this setting on allows this optional diagnostic data to be shared with Microsoft from other applications using Microsoft Edge, such as a video streaming app that hosts the Microsoft Edge web platform to stream the video. The Microsoft Edge web platform will send info about how you use the web platform and sites you visit in the application to Microsoft. This data collection is determined by your optional diagnostic data setting in Privacy, search, and services settings in Microsoft Edge.
On Windows 10, these settings are determined by your Windows diagnostic setting. To change your diagnostic data setting, select Start > Settings > Privacy > Diagnostics & feedback. On all other platforms, you can change your settings in Microsoft Edge by selecting Settings and more > Settings > Privacy, search, and services. In some cases, your diagnostic data settings might be managed by your organization.
When you’re searching for something, Microsoft Edge can give suggestions about what you’re searching for. To turn on this feature, select Settings and more > Settings > Privacy, search, and services > Address bar and search, and turn on Show me search and site suggestions using my typed characters. As you start to type, the info you enter in the address bar is sent to your default search provider to give you immediate search and website suggestions.
When you use InPrivate browsing or guest mode, Microsoft Edge collects some info about how you use the browser depending on your Windows diagnostic data setting or Microsoft Edge privacy settings, but automatic suggestions are turned off and info about websites you visit is not collected. Microsoft Edge will delete your browsing history, cookies, and site data, as well as passwords, addresses, and form data when you close all InPrivate windows. You can start a new InPrivate session by selecting Settings and more on a computer or Tabs on a mobile device.
Microsoft Edge also has features to help you and your content stay safe online. Windows Defender SmartScreen automatically blocks websites and content downloads that are reported to be malicious. Windows Defender SmartScreen checks the address of the webpage you're visiting against a list of webpage addresses stored on your device that Microsoft believes to be legitimate. Addresses that aren't on your device’s list and the addresses of files you're downloading will be sent to Microsoft and checked against a frequently updated list of webpages and downloads that have been reported to Microsoft as unsafe or suspicious.
To speed up tedious tasks like filling out forms and entering passwords, Microsoft Edge can save info to help. If you choose to use those features, Microsoft Edge stores the info on your device. If you’ve turned on sync for form fill like addresses or passwords, this info will be sent to the Microsoft cloud and stored with your Microsoft account to be synced across all your signed-in versions of Microsoft Edge. You can manage this data from Settings and more > Settings > Profiles .
To protect some video and music content from being copied, some streaming websites store Digital Rights Management (DRM) data on your device, including a unique identifier (ID) and media licenses. When you go to one of these websites, it retrieves the DRM info to make sure you have permission to use the content.
Microsoft Edge also stores cookies, small files that are put on your device as you browse the web. Many websites use cookies to store info about your preferences and settings, like saving the items in your shopping cart so you don't have to add them each time you visit. Some websites also use cookies to collect info about your online activity to show you interest-based advertising. Microsoft Edge gives you options to clear cookies and block websites from saving cookies in the future.
Microsoft Edge will send Do Not Track requests to websites when the Send Do Not Track requests setting is turned on. Websites may still track your activities even when a Do Not Track request is sent, however.
How to clear data collected or stored by Microsoft Edge
To clear browsing info stored on your device, like saved passwords or cookies:
- In Microsoft Edge, select Settings and more > Settings > Privacy, search, and services .
- Under Clear browsing data, select Choose what to clear.
- Under Time range, choose a time range.
- Select the check box next to each data type you’d like to clear, and then select Clear now.
- If you’d like, you can select Choose what to clear every time you close the browser and choose which data types should be cleared.
Learn more about what gets deleted for each browser history item.
To clear browsing history collected by Microsoft:
- To see your browsing history associated with your account, sign in to your account at account.microsoft.com. In addition, you also have the option of clearing your browsing data that Microsoft has collected using the Microsoft privacy dashboard.
- To delete your browsing history and other diagnostic data associated with your Windows 10 device, select Start > Settings > Privacy > Diagnostics & feedback , and then select Delete under Delete diagnostic data.
To clear individual passwords stored by Microsoft Edge on your device:
- In Microsoft Edge, select Settings and more > Settings > Profiles , and then select Passwords.
- Under Saved passwords, select More actions next to a website name, and then select Delete to clear the password saved for that site.
How to manage your privacy settings in Microsoft Edge
To change your level of tracking prevention, clear your browsing data, help improve Microsoft Edge, and more, select Settings and more > Settings > Privacy, search, and services .
To choose if websites can ask for permission to use your location, camera, microphone, and more, select Settings and more > Settings > Site permissions.
To choose what types of data are synced across your devices, or to turn off syncing entirely, select Settings and more > Settings > Profiles > Sync .
To learn more about privacy in Microsoft Edge, read the Microsoft Edge privacy whitepaper.