What are first-party and third-party cookies?
- Cookies that match the domain of the current site, i.e. what’s displayed in the browser’s address bar, are referred to as first-party cookies.
- Cookies from domains other than the current site are referred to as third-party cookies.
SameSite attribute
- Strict: If you set SameSite to Strict, your cookie will only be sent in a first-party context. In user terms, the cookie will only be sent if the site for the cookie matches the site currently shown in the browser’s URL bar.
- Lax: When you set a cookie’ SameSite attribute to Lax, the cookie will be sent along with the GET request initiated by third party website.
The important point here is that, to send a cookie with a GET request, GET request being made must cause a top level navigation. Only in this way, the cookie set as LAX will be sent.