'SameSite' cookie attribute

Same-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Chrome

4 - 50: Not supported
51 - 79: Supported
80 - 123: Supported
124: Supported
125 - 127: Supported

Edge

12 - 15: Not supported
16 - 17: Supported
18 - 85: Supported
86 - 122: Supported
123: Supported

Safari

3.1 - 11.1: Not supported
12 - 13.1: Partial support
14 - 14.1: Partial support
15 - 17.3: Supported
17.4: Supported
17.5 - TP: Supported

Firefox

2 - 59: Not supported
60 - 124: Supported
125: Supported
126 - 128: Supported

Opera

9 - 38: Not supported
39 - 70: Supported
71 - 108: Supported
109: Supported

IE

5.5 - 10: Not supported
11: Partial support

Chrome for Android

123: Supported

Safari on iOS

3.2 - 11.4: Not supported
12 - 12.5: Partial support
13 - 17.3: Supported
17.4: Supported
17.5: Supported

Samsung Internet

4: Not supported
5 - 23: Supported
24: Supported

Opera Mini

all: Not supported

Opera Mobile

10 - 12.1: Not supported
80: Supported

UC Browser for Android

15.5: Not supported

Android Browser

2.1 - 4.4.4: Not supported
123: Supported

Firefox for Android

124: Supported

QQ Browser

14.9: Support unknown

Baidu Browser

13.52: Supported

KaiOS Browser

2.5: Not supported
3: Supported

This feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients.

Resources:: MS Edge dev blog: "Previewing support for same-site cookies in Microsoft Edge"; Mozilla Bug #1286861, includes the patches that landed SameSite support in Firefox; Mozilla Bug #1551798: Prototype SameSite=Lax by default; Mozilla Bug #795346: Add SameSite support for cookies; Microsoft Edge Browser Status; Same-site cookies demonstration by Rowan Merewood; Preventing CSRF with the same-site cookie attribute