Web HTTP - SameSite Cookie property (First-Party-Only)

Table of Contents

1 - About

samesite is a property of a cookie that controls if cookies should be sent along in a cross-site HTTP request ie:

SameSite cookie are:

They allow servers to mitigate the risk of cross-site request forgery attacks (CSRF) and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

3 - Example

  • Consider the scenario in which a user reads their email at MegaCorp Inc's webmail provider “https://mail.example.com/”.
  • They might expect that clicking on an emailed link to “https://projects.com/secret/project” would show them the secret project that they're authorized to see.
  • But if projects.com has marked their session cookies as strict, then this cross-site navigation won't send them along with the request and projects.com will render a 404 error to avoid leaking secret information.
  • The user will be quite confused.

Developers can avoid this confusion by adopting a session management system that relies on not one, but two cookies:

Number Cookie Authorization SameSite Description
1 read Lax (or empty) Allow users access to data via top-level navigation
2 write Strict Disallow write operation via top-level navigation

The absence of the second cookie would provide a reauthentication step before executing any non-idempotent action.

Ref

4 - Glossary

4.1 - Top-level site

The “top-level site” is the registered domain in the address bar of the browser.

4.2 - Same-site vs Cross-site

A request is:

  • same-site if its target's URI's origin's registrable domain is an exact match for the request's initiator's (the parent),
  • and cross-site otherwise.

Example:

  • login.example.com and blog.example.com will trigger same-site request because they share the same apex domain.

5 - Values

SameSite values:

  • Lax (Default in browser): Cookies:
    • are allowed to be sent with top-level navigations (when this is the first navigation)
    • will be sent along with GET request initiated by third party website.
  • Strict: cookies
    • are only be sent in a first-party context (same-site)
    • will not be sent along with requests initiated by third party websites.
  • None: Cookies will be sent in all contexts, i.e sending cross-origin is allowed.

6 - Documentation / Reference


Data (State)
Data (State)
DataBase
Data Processing
Data Quality
Data Structure
Data Type
Data Warehouse
Data Visualization
Data Partition
Data Persistence
Data Concurrency

Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Modeling
Process
Logical Data Modeling
Relational Modeling
Dimensional Modeling
Automata

Data Type
Number
Time
Text
Collection
Relation (Table)
Cube
Tree
Key/Value
Graph
Spatial
Color
Log

Measure Levels
Order
Nominal
Discrete
Distance
Ratio

Code
Compiler
Lexical Parser
Grammar
Function
Testing
Debugging
Shipping
Data Type
Versioning
Design Pattern

Infrastructure
Operating System
Cryptography
Security
File System
Network
Process (Thread)
Computer
PerfCounter
Infra As Code

Marketing
Advertising
Analytics
Email

Web
Html
Dom
Http
Url
Css
Javascript
Selector
Browser
Web Services
OAuth

Contact
[email protected]
Privacy Policy
Status

Powered by ComboStrap