Microsoft Introduces Previewing Support For Same-Site Cookies In Microsoft Edge

Microsoft has currently introduced Windows Insider Preview build 17672 support for SameSite cookies standard in Microsoft Edge, ahead of the planned rollout in Microsoft Edge and Internet Explorer. Microsoft informs that the same –site cookies would go on to enable more protection for users against cross-site request forgery (CSRF) attacks.

Microsoft states,

“Historically, sites such as that make “cross-origin” requests to other domains such as have generally caused the browser to send’s cookies as part of the request. Normally, the user benefits from being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defence in depth against CSRF attacks.”

Sites will now be able to easily set the SameSite attribute on cookies of their choosing via the set-cookies header or via the document. cookie JavaScript property, hence preventing the default browser behaviour of sending cooking cross-site requests.

The strict attribute is specified for when the same-site cookie is set, and it will not be sent for any cross-site request, which will go on to include clicking on links from external sites. Since the logged-in state is stored as a SameSite=Strict cookie, when a user clicks such a link it will initially appear as if the user is not logged in.

If the lax attribute is specified for when the same-site cookies are set, then it will not be sent for the cross-origin sub-resource request, such as images. But, the SameSite=Lax cookies will still be sent while navigating from the external site, for example, whenever a link is clicked.

This feature is completely backwards compatible, i.e, browsers which will not support same-site cookies will ignore the additional attributes and will use the cookie as a regular cookie.

The company states,

“We continuously work to improve our support of standards towards a more interoperable web. Although same-site cookies is not yet a finalized standard at the Internet Engineering Task Force (IETF), we believe the feature is stable and compelling enough to warrant an early implementation as the standardization process progresses.”


Tahseen Jamil

Tahseen is an avid technology buff and thinks that Robots should rule the world. She cannot wait for the self-driving revolution to get here and the IoT to make all her stuff to know what she wants before she wants it. The Singularity is near and she beleives that Cortana will someday take over.