As per new RFC for cookies,
A new attribute is introduced for cookies called SameSite. This attributes decides whether cookies associcated with request are forward or not along with request on a cross site request.
SameSite attributes accept three values. lax, strict and none.
SameSite=lax,
For HTTP methods like POST, PUT , DELETE, if the request is originated from cross site. Cookies will be blocked in the request.
For HTTP Methods like GET, HEAD, If the request is originated from cross site. Cookies will be allowed along with the request.
SameSite=strict
Cookies are blocked , if the request is cross site request.
For HTTP methods like POST, PUT , DELETE, if the request is originated from cross site. Cookies will be blocked in the request.
For HTTP Methods like GET, HEAD, If the request is originated from cross site. Cookies will be blocked in the request.
SameSite=none
Cookies are allowed for all methods for cross origin request.
Some of the browsers mandate to secure flag along with none flag.
This is called no restriction.
What is samesite and crosssite.
Example 1:
sample.test.com and sample.abc.com are cross site.
Example 2:
sample.test.com and abc.test.com are same site
Example 3:
sample.abc.test.com and xyz.abc.test.com are samesite.
Example 4:
sample.hyd.test.com and xyz.ind.test.com are samesite as per chrome implementation.
Cookie Domain is not considered while deciding if the request is same site or cross site.
Example
sample.hyd.test.com and xyz.ind.test.com are two sites whos cookie domain scope is 3.
implies cookie created for sample.hyd.test.com with cookie domain value .hyd.test.com and cookie created for xyz.ind.test.com with cookie domain value ind.test.com.
When there request from sample.hyd.test.com is made to xyz.ind.test.com. This will be treated as samesite, ind.test.com domain cookie is forward to xyz.ind.test.com site.
A new attribute is introduced for cookies called SameSite. This attributes decides whether cookies associcated with request are forward or not along with request on a cross site request.
SameSite attributes accept three values. lax, strict and none.
SameSite=lax,
For HTTP methods like POST, PUT , DELETE, if the request is originated from cross site. Cookies will be blocked in the request.
For HTTP Methods like GET, HEAD, If the request is originated from cross site. Cookies will be allowed along with the request.
SameSite=strict
Cookies are blocked , if the request is cross site request.
For HTTP methods like POST, PUT , DELETE, if the request is originated from cross site. Cookies will be blocked in the request.
For HTTP Methods like GET, HEAD, If the request is originated from cross site. Cookies will be blocked in the request.
SameSite=none
Cookies are allowed for all methods for cross origin request.
Some of the browsers mandate to secure flag along with none flag.
This is called no restriction.
What is samesite and crosssite.
Example 1:
sample.test.com and sample.abc.com are cross site.
Example 2:
sample.test.com and abc.test.com are same site
Example 3:
sample.abc.test.com and xyz.abc.test.com are samesite.
Example 4:
sample.hyd.test.com and xyz.ind.test.com are samesite as per chrome implementation.
Cookie Domain is not considered while deciding if the request is same site or cross site.
Example
sample.hyd.test.com and xyz.ind.test.com are two sites whos cookie domain scope is 3.
implies cookie created for sample.hyd.test.com with cookie domain value .hyd.test.com and cookie created for xyz.ind.test.com with cookie domain value ind.test.com.
When there request from sample.hyd.test.com is made to xyz.ind.test.com. This will be treated as samesite, ind.test.com domain cookie is forward to xyz.ind.test.com site.
Thanks for sharing.
ReplyDeleteISO 27001 lead auditor training Qatar