Google Said:
In May 2019 Google announced that cookies that do not include the “SameSite=None” and Secure” labels will not be accessible by any third parties, in Chrome version 80 and further. The Secure label means cookies need to be set and read via HTTPS connections.
Chrome SameSite cookie default is: “None” which allows third-party cookies to track users across sites. But from February 4 2020, cookies will default into “SameSite=Lax” which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie.
Any cookie with the “SameSite=None” label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.
What is SameSite?
SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are lax or strict.
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project.
Treat cookies as SameSite=Lax by default if no SameSite attribute is specified. Developers are still able to opt-in to the status quo of unrestricted use by explicitly asserting SameSite=None.
The Stable version of Chrome 80 is targeted for enabling this feature by default. This feature is available as of Chrome 76 by enabling the same-site-by-default-cookies flag.
Please review https://www.chromium.org/updates/same-site for full timeline and more details.
The OWASP posted a post aka “OWASP’s Top 10” for spreading awareness for developers about web application security. This explains more details about most critical security risks to web applications.