The specific case we are trying to figure out is what is shared with facebook (and other "first party and "third party" scripts). FB is a pixel image using GET, currently with the url www.facebook.com. Are our cookies set on the sites main domain (.mysite.com) or subdomain (www.mysite.com) shared with facebook?
If we now change facebook to use a first party url, e.g. facebook.mysite.com, are our cookies set on the domain www.mysite.com and .mysite.com shared, with or without samesite set (most of our cookies dont have this set) now shared with FB?
What would really help if if someone could supply is a super simple table of examples (as per below)
Assume using GET to pull in an external resource (e.g. image, xhr request or js library), and consider the three cases where SameSite has value None, Lax, and Strict.
| origin | cookie domain | link | cookie shared? |
|---|---|---|---|
www.mysite.com |
.mysite.com |
pixel.facebook.com |
? |
www.mysite.com |
www.mysite.com |
pixel.facebook.com |
? |
www.mysite.com |
www.mysite.com |
pixel.mysite.com |
? |
www.mysite.com |
.mysite.com |
pixel.mysite.com |
? |
Note that the scheme and (possibly implicit) port, not just the host, are components of a Web origin. Only taking the host into consideration is misleading. Therefore, I've taken the liberty to add a https scheme to all your examples (which has the added benefit of sidestepping a discussion about the Secure attribute).
Under the assumption that example.com be an eTLD+1, the answer doesn't depend on the value of the cookie's SameSite attribute in any of your four cases.
| origin | cookie domain | link | cookie shared? |
|---|---|---|---|
https://www.example.com |
.example.com |
https://pixel.facebook.com |
❌ |
https://www.example.com |
www.example.com |
https://pixel.facebook.com |
❌ |
https://www.example.com |
www.example.com |
https://pixel.example.com |
❌ |
https://www.example.com |
.example.com |
https://pixel.example.com |
✅ |
In the first three cases, browsers will not attach such a cookie to such requests.
Why? Because, in all three cases, the request host does not domain-match the cookie's domain attribute; see RFC6265bis, section 5.6, step 10 of the storage-model algorithm. In particular, cookies associated to example.com in someone's browser are never sent to or accessible by facebook.com or any subdomain thereof. However, if example.com loads facebook.com in an iframe, Facebook can use that to create cookies associated to facebook.com, which will then be attached to requests to Facebook.
In the fourth case, under the assumption that example.com be an eTLD+1, browsers will unconditionally attach such a cookie to such a request. Why? Because, in that case,
SameSite cookie attribute only has an effect on cross-site requests; more about this subtlety in one of my blog posts.Here is a case where the value of the SameSite attribute would matter, because the request in question is cross-site:
| origin | cookie domain | link | SameSite | cookie shared? |
|---|---|---|---|---|
https://facebook.com |
www.example.com |
https://www.example.com |
None | ✅ |
https://facebook.com |
www.example.com |
https://www.example.com |
Lax | ? |
https://facebook.com |
www.example.com |
https://www.example.com |
Strict | ❌ |
In the SameSite=None case, browsers would unconditionally attach the cookie.
In the SameSite=Lax case, browsers would only attach the cookie if the request is a top-level navigation. See Lax allowing unsafe, though.
In the SameSite=Strict case, browsers would not attach the cookie, period.