okhttp/okhttp3/Cookie/sameSite

sameSite

val sameSite: String?

Returns a string describing whether this cookie is sent for cross-site calls.

Two URLs are on the same site if they share a top private domain. Otherwise, they are cross-site URLs.

When a URL is requested, it may be in the context of another URL.

  • Embedded resources like images and iframes in browsers use the context as the page in the address bar and the subject is the URL of an embedded resource.

  • Potentially-destructive navigations such as HTTP POST calls use the context as the page originating the navigation, and the subject is the page being navigated to.

The values of this attribute determine whether this cookie is sent for cross-site calls:

  • "Strict": the cookie is omitted when the subject URL is an embedded resource or a potentially-destructive navigation.

  • "Lax": the cookie is omitted when the subject URL is an embedded resource. It is sent for potentially-destructive navigation. This is the default value.

  • "None": the cookie is always sent. The "Secure" attribute must also be set when setting this value.