The browsers are in a process of changing the default cookie security behaviour in accordance with this document: https://mikewest.github.io/cookie-incrementalism/draft-west-cookie-incrementalism.html That means that right now you get some variation in behaviour (see bug 8191) depending on which browser you use. You also get complaints from the browsers that no explicit "SameSite" attribute has been set. We should probably be more explicit here so that we get a predictable behaviour.