Cookie Transmission Scenario Analysis
This document analyzes cookie transmission scenarios and organizes whether cookies are transmitted based on various SameSite settings and domain attributes. This analysis is based on requests between https://api.hello.dev and https://hello.dev.
Prerequisites
All cookies have the following common options:
- Secure=true: Cookies are transmitted only over HTTPS connections
The browser transmits all SameSite setting cookies only for same-site requests (where origin and target share the same registered domain hello.dev), so there's no blocking due to SameSite here. When a cookie's Domain attribute is specified, the cookie is transmitted to that domain and all its subdomains. In the tables below, β indicates cookie transmission, and π« indicates no transmission.
https://api.hello.dev β https://api.hello.dev
| Domain | SameSite | Form GET | Form POST | Fetch GET | Fetch POST |
|---|---|---|---|---|---|
| api.hello.dev | Strict | β | β | β ΒΉ | β ΒΉ |
| api.hello.dev | Lax | β | β | β ΒΉ | β ΒΉ |
| api.hello.dev | None | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | Strict | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | Lax | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | None | β | β | β ΒΉ | β ΒΉ |
https://api.hello.dev β https://*.hello.dev
| Domain | SameSite | Form GET | Form POST | Fetch GET | Fetch POST |
|---|---|---|---|---|---|
| api.hello.dev | Strict | π« | π« | π« | π« |
| api.hello.dev | Lax | π« | π« | π« | π« |
| api.hello.dev | None | π« | π« | π« | π« |
| .hello.dev | Strict | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | Lax | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | None | β | β | β ΒΉ | β ΒΉ |
https://api.hello.dev β https://hello.dev
| Domain | SameSite | Form GET | Form POST | Fetch GET | Fetch POST |
|---|---|---|---|---|---|
| api.hello.dev | Strict | π« | π« | π« | π« |
| api.hello.dev | Lax | π« | π« | π« | π« |
| api.hello.dev | None | π« | π« | π« | π« |
| .hello.dev | Strict | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | Lax | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | None | β | β | β ΒΉ | β ΒΉ |
https://hello.dev β https://api.hello.dev
| Domain | SameSite | Form GET | Form POST | Fetch GET | Fetch POST |
|---|---|---|---|---|---|
| hello.dev | Strict | π« | π« | π« | π« |
| hello.dev | Lax | π« | π« | π« | π« |
| hello.dev | None | π« | π« | π« | π« |
| .hello.dev | Strict | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | Lax | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | None | β | β | β ΒΉ | β ΒΉ |
https://hello.dev β https://*.hello.dev
| Domain | SameSite | Form GET | Form POST | Fetch GET | Fetch POST |
|---|---|---|---|---|---|
| hello.dev | Strict | π« | π« | π« | π« |
| hello.dev | Lax | π« | π« | π« | π« |
| hello.dev | None | π« | π« | π« | π« |
| .hello.dev | Strict | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | Lax | β | β | β ΒΉ | β ΒΉ |
| .hello.dev | None | β | β | β ΒΉ | β ΒΉ |
Footnotes
ΒΉ With credentials (Fetch API requires credentials: include option)
Note: When the domain attribute is specified, cookies are transmitted to the specified domain and all its subdomains.