Is SameSite=Lax supposed to allow 3rd-party GETs?

Question

Reading MDN for SameSite=Lax, it says:

Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.

To me that sounds like I could initiate a fetch in JavaScript from a 3rd party, and as long as it's a GET the cookies will be sent.

But according to this answer, even GET requests are only sent during top-level navigation, ie not from JS.

I'm guessing the answer is correct. I really hope so because I'm trying to secure an API and I only want cookies being sent when the user navigates to the 1st-party site, ie for Oauth2 interactions etc. SameSite=Strict isn't working for me because if I link to a resource on the 1st-party server, it's still blocked if the referer indicates the navigation came from somewhere else. Refreshing the page doesn't work either. I have to manually navigate to the URL.

EDIT: I just tested this and the behavior is as I hoped. The cookies are not sent with SameSite=Lax fetches. Am I the only one confused by the MDN wording?

Answer 1

With SameSite=Lax GET requests are sent only with top level navigations i.e. when the URL bar changes, so the expected behavior is that a fetch initiated from javascript from a 3rd party would not result in cookies sent.

The quote is ambiguous but has fortunately been updated since this question was asked - the current version of the MDN docs on SameSite has a much clearer description of SameSite=Lax.

Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).

This is the default cookie value if SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).

Internet archive sleuthing

From bisecting internet archive on that page, it appears that the wording was changed to make this clearer at some point between 2020-11-11 and 2020-11-28:

On the snapshot from 2020-11-11 (https://web.archive.org/web/20201111134030/https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) the quote from the question is present:

Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.

But in snapshots taken on or after 2020-11-28, starting with https://web.archive.org/web/20201128122348/https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite, the description for SameSite=lax now reads:

Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e. when following a link).

This is the default cookie value if SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).