Sigh. This is going to break a lot of sites—especially the less than clearly documented behavior of SameSite=Lax with iframe content. If I understand it correctly, iframe’d content, even from the same domain as the parent frame, won’t receive any cookies set to SameSite=Lax or Strict.

Does anyone no the rational for this on non-cross domain frames?

For same domain requests even with iframe the cookies are sent. I'm more worried about the fact that it may break cross domain authentication, though most authentication frameworks support passing state through the authentication mechanism.

This will be great, I tried whitelisting 3rd party cookies for a couple of months but it was unsustainable, this is a good step forward.

What did you have to whitelist? I've had third party cookies disabled for a few weeks and it seems to work.

...

> So the Chrome folks plan to change that.

> In Chrome 80 and later, cookies will default to SameSite=Lax. This means that cookies will automatically be sent only in a first party context unless they opt-out by explicitly setting a directive of None:

    Set-Cookie: ACookieAvailableCrossSite; SameSite=None; secure; httponly

> This change is small in size, and huge in scope. It has huge implications for any site that expects its cookies to be used in a cross-origin context.

...

> The Chrome team has set an ambitious timeline which calls for turning this feature on-by-default for Chrome 80, slated for stable release on February 4th, 2020.