Microsoft is testing the SameSite cookies in Windows 10 Insider builds via an update to its Edge browser. Build 17672 enables the standard, which gives users protection against cross-site forgery attacks.
“Historically, sites such as example.com that make ‘cross-origin’ requests to other domains such as microsoft.com have generally caused the browser to send microsoft.com’s cookies as part of the request,” said the Microsoft Edge team. “Normally, the user benefits by being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defense in depth against CSRF attacks.”
Going forward, web developers will be able to set the SameSite attribute on cookies of their choice via the Set-Cookie header. This should prevent the browser from sending cookies in cross-site requests or set specific circumstances where they’re not allowed.
Though this is currently exclusive to Redstone 5, Microsoft plans to roll it out to users on the Creators Update or higher if it goes well. Either way, the attribute will be backward compatible with earlier browser versions, which will simply ignore it.
The team is planning to support to SameSite cookies even though it’s not a finalized standard at the IETF. It’s stability and compelling nature are apparently enough to warrant an early implementation as its standardization progresses.
You can read more about the support on the Windows blog.