leoliu
commented
6 years ago This feature is now in Firefox and Chrome. Looks like it is landing in Microsoft Edge browser according to https://blogs.windows.com/msedgedev/2018/05/17/samesite-cookies-microsoft-edge-internet-explorer/. It is the simplest and most effective way to mitigate CSRF attacks.
Now supported by Firefox and Chrome per https://caniuse.com/#feat=same-site-cookie-attribute. But the draft spec sees no update for a long time. So maybe wait until it is part of the standard. https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00