Same Site Cookie Attribute in short
Let's start with what is a same site cookie attribute? Same site attribute in a cookie is a rule that instruct how cookies are sent with cross-origin requests. It can prevent sensitive cookies from attaching in a cross-origin request, which provides protection against cross-site request forgery attacks.
You might have a question, how same site attribute protects me from CSRF attacks? We will talk about this in details below after we have discussed same site attribute
So what is a cross-origin request? To understand a cross-origin request, First you need to understand the component of domain. In high level, domain is composed of 3 parts; scheme, hostname and port. For example, In this domain:
> https://www.localhost:3000
- Scheme is : https://
- Hostname is: www.localhost:3000
- Port is: 3000
when a request doesn’t match the scheme, hostname, or port with the sender site, then it’s considered a cross-origin request.
For Example:
https://www.example.com:4000
site initiate request to
https://www.example.com:400
then https://www.example.com:400 is considered a cross-origin request.
Now let's go deeper in same site attributes. Same site attribute can have 3 values; Strict, Lax and None. To understand these same site values, we need to ask these 2 questions: who can set this cookie? And when is this cookie is sent?:
- Strict
— Who can set same site ‘strict’ cookie?
> Same site ‘strict’ cookie can only be added through same origin’s response or cross-origin response initiated with Top Level Navigation.
— When is same site ‘strict’ cookie sent?
> The same site ‘strict’ cookie will only be sent in if the request is sent to the same site, i.e. Same origin. Cross-origin requests will not include this cookie.
- Lax
— Who can set same site ‘lax’ cookie?
> Similar to same site strict, ‘lax’ cookie can also be added by only same origin’s response or cross-origin response initiated with Top Level Navigation.
— When is same site ‘lax’ cookie sent?
> Cookies with Same Site attribute is set to ‘Lax’, will be sent to top-level navigation only, such as clicking on a link, entering a URL, as long as the navigation is user-initiated from a cross-origin context. However, it won’t be sent for requests that are triggered by loading resources (such as images or scripts) from a cross-origin context. For same orign context ‘lax’ cookie is sent for every request.
- None
— Who can set same site ‘none’ cookie?
> Unlike same site ‘lax’ and ‘strict’ cookie, same site ‘none’ cookie is allowed to set by both cross origin and same origin but for the security purpose every same site ‘none’ cookie must be marked as secured and transfered using https. (in domain like localhost and 127.0.0.1 it might not need https)
— When is same site ‘none’ cookie sent?
> Cookie with same site attribute is set to ‘None’ will be sent with all cross-origin requests, including both top-level navigation and requests for resources. This is typically used when you want to allow third-party sites to make authenticated requests to your server. This kind of cookie should not be used for user authentication without proper csrf protection.
Now that we have learned about the same site attribute policy. Let's answer how same site attribute protects me from CSRF attacks?
Let's assume a scenario, where ABC Bank has web banking with cookies set to a ‘None’ “same site” attribute. A user is logged in and browsing various sites. If they unknowingly visit a suspicious site, it can send a request to the bank to transfer funds to a hacker’s account. Because of the same site ‘none’ attribute, the bank processes the request as legitimate due to attached cookies. Although the browser might block the response due to CORS, the server has already executed the request. This could have been easily prevented by using the same site to attribute to ‘strict’. Since ‘strict’ cookies are not attached to a cross-origin request, that request would be discarded as an invalid request.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Resources:
