Web HTTP - SameSite Cookie property (First-Party-Only)
Table of Contents
About
samesite is a property of a cookie that controls if cookies should be sent along in a cross-site HTTP request ie:
- when the apex/registrable domain of the code (HTML, Javascript, ..) that created the request
- is not the same apex/registrable domain than the URL of the request
SameSite cookie are:
- also known First-Party-Only
They allow servers to mitigate the risk of cross-site request forgery attacks (CSRF) and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
Articles Related
Example
- Consider the scenario in which a user reads their email at MegaCorp Inc's webmail provider “https://mail.example.com/”.
- They might expect that clicking on an emailed link to “https://projects.com/secret/project” would show them the secret project that they're authorized to see.
- But if projects.com has marked their session cookies as strict, then this cross-site navigation won't send them along with the request and projects.com will render a 404 error to avoid leaking secret information.
- The user will be quite confused.
Developers can avoid this confusion by adopting a session management system that relies on not one, but two cookies:
Number | Cookie Authorization | SameSite | Description |
---|---|---|---|
1 | read | Lax (or empty) | Allow users access to data via top-level navigation |
2 | write | Strict | Disallow write operation via top-level navigation |
The absence of the second cookie would provide a reauthentication step before executing any non-idempotent action.
Glossary
Top-level site
The “top-level site” is the registered domain in the address bar of the browser.
Same-site vs Cross-site
A request is:
- same-site if its target's URI's origin's registrable domain is an exact match for the request's initiator's (the parent),
- and cross-site otherwise.
Example:
- login.example.com and blog.example.com will trigger same-site request because they share the same apex domain.
Values
SameSite values:
- Lax (Default in browser): Cookies:
- are allowed to be sent with top-level navigations (when this is the first navigation)
- will be sent along with GET request initiated by third party website.
- Strict: cookies
- are only be sent in a first-party context (same-site)
- will not be sent along with requests initiated by third party websites.
- None: Cookies will be sent in all contexts, i.e sending cross-origin is allowed.