Let's say I try to set a cookie with 2 (or more!) SameSite attributes with different values, like:
CookienName=CookieValue; secure; SameSite=None; SameSite=Lax
Which value will be taken into account?
I've done some tests in Chrome 116 and I see that the last value is always taken into account:
| Attributes in Set-Cookie | Resulting Value |
|---|---|
| ...; SameSite=None; SameSite=Lax | Lax |
| ...; SameSite=Lax; SameSite=None | None |
| ...; SameSite=Strict; SameSite=None | None |
But I wonder if this behaviour is defined somewhere in the specification or if it is browser specific.
Although the SameSite attribute is not yet mentioned there, the specification for receiving cookies in RFC 6265 states that only the last attribute value is stored if there are several, for example:
If the cookie-attribute-list contains an attribute with an attribute-name of "Domain": Let the domain-attribute be the attribute-value of the last attribute in the cookie-attribute-list with an attribute-name of "Domain".