Concepts

Samesite Cookie

The SameSite cookie attribute is an important security measure that helps browsers decide whether to send cookies along with cross-site requests. This attribute aims to mitigate risks such as cross-site request forgery (CSRF) and information leakage. It has three posible values: Strict, Lax, and None.

Explain the Lax value

  • You are logged into your favorite social media site (myawesomesocial.com).
  • You see an interesting article shared by a friend on a news website (coolnews.com).
  • You click on the link to read the article.

With SameSite=Lax:

  • Since the navigation originated from clicking the link (coolnews.com) and is a top-level GET request, your browser will include your session cookies from myawesomesocial.com along with the request to coolnews.com.
  • This allows coolnews.com to potentially personalize your experience on their site based on your social media profile (if they have such integration).

Scenario 2: Submitting a Form on a Third-Party Site

  • You are browsing a blog (interestingblog.com).
  • Embedded in the blog post is a form to sign up for a newsletter hosted on a different site (newslettersignup.com).
  • You fill out the newsletter form and click submit.

With SameSite=Lax:

  • Since the form submission using a POST method is not considered top-level navigation, your browser won't include cookies for other sites (like myawesomesocial.com from earlier) when sending the form data to newslettersignup.com. This protects you from a CSRF attack where the blog might have tried to trigger actions on your social media account without your awareness.

What "Lax" Means

"Lax" provides a balance between:

  • Some Cross-Site Usability: Seamless experiences when clicking links to external sites are still possible.
  • CSRF Protection: Common CSRF attack vectors are blocked as most malicious actions are unlikely to be triggered by top-level GET navigation.

Important Considerations:

  • Lax is not foolproof against CSRF – complex attacks can still be crafted.
  • If the third-party site (coolnews.com in the first example) itself has vulnerabilities, your Lax cookie could still be exploited in more advanced attack scenarios.
Last Update: 04:41 - 19 April 2024

Previous

Hoisting

Next

How "this" works

On this page