Wk-notes-02-03-same-site-cookie

PreviousWk-notes-02-04-props-drilling-virtual-list NextWk-notes-01-31-g-recaptcha-npmshrinkwrap

Last updated 5 years ago

Was this helpful?

Wk-notes-02-03-same-site-cookie

TL;DR

Set-cookie: 3partycookie=value; SameSite=None; Secure to fix third party cookie break.

Quick Refresher

Set-Cookie allows server set a cookie in browser by http response.

Cookie header will be send back to server

document.cookie enables J to modify cookies

Cookie lives under browser context and could be consume whenever the page load resource from the domain

first-party cookie: set by current domain, same domain in url bar

third party cookie: set by other domain, it is used if a user want to

CSRF: Because cookie is attached to header no matter who send it

SameSite

Strict cookie only used in first-party-page
Lax if user follows a first-party-link on the third-party-page, the cookie will be sent.

What will happen

Introducing network.cookie.sameSite.laxByDefault
SameSite=None MUST be Secure
Always explicitly set SameSite
Use cases:
In <iframe/>:
- Embedded content shared from other sites, such as videos, maps, code samples, and social posts.
- Widgets from external services such as payments, calendars, booking, and reservation functionality.
- Widgets such as social buttons or anti-fraud services that create less obvious <iframe/>.
"Unsafe" requests across sites:
When redirecting pages.
While "unsafe" may sound slightly concerning here, this refers to any request that may be intended to change state. On the web that's primarily POST requests. Cookies marked as SameSite=Lax will be sent on safe top-level navigations, e.g. clicking a link to go to a different site. However something like a ` submission via POST to a different site would not include cookies.
This pattern is used for sites that may redirect the user out to a remote service to perform some operation before returning, for example redirecting to a third-party identity provider. Before the user leaves the site, a cookie is set containing a single use token with the expectation that this token can be checked on the returning request to mitigate attacks. If that returning request comes via POST then it will be necessary to mark the cookies as SameSite=None; Secure.
Remote Resources:
A cookie to be sent over a on-page request (no redirects): <img>, <script/>, or AJAX(withCredential for XMLHttpRequest; credentails: 'include' for fetch())
Content within a WebView:
Remember to add SameSite=None; Secure because most of the reqeust are from JS
Solution:
```
Set-cookie: 3partycookie=value; SameSite=None; Secure
Set-cookie: 3partycookie-legacy=value; Secure
```
Ref:

PreviousWk-notes-02-04-props-drilling-virtual-list NextWk-notes-01-31-g-recaptcha-npmshrinkwrap

Last updated 5 years ago

Was this helpful?

TL;DR

Set-cookie: 3partycookie=value; SameSite=None; Secure to fix third party cookie break.

Quick Refresher

Set-Cookie allows server set a cookie in browser by http response.

Cookie header will be send back to server

document.cookie enables J to modify cookies

Cookie lives under browser context and could be consume whenever the page load resource from the domain

first-party cookie: set by current domain, same domain in url bar

third party cookie: set by other domain, it is used if a user want to

CSRF: Because cookie is attached to header no matter who send it

SameSite

Strict cookie only used in first-party-page
Lax if user follows a first-party-link on the third-party-page, the cookie will be sent.

What will happen

Introducing network.cookie.sameSite.laxByDefault
SameSite=None MUST be Secure
Always explicitly set SameSite
Use cases:
In <iframe/>:
- Embedded content shared from other sites, such as videos, maps, code samples, and social posts.
- Widgets from external services such as payments, calendars, booking, and reservation functionality.
- Widgets such as social buttons or anti-fraud services that create less obvious <iframe/>.
"Unsafe" requests across sites:
When redirecting pages.
While "unsafe" may sound slightly concerning here, this refers to any request that may be intended to change state. On the web that's primarily POST requests. Cookies marked as SameSite=Lax will be sent on safe top-level navigations, e.g. clicking a link to go to a different site. However something like a ` submission via POST to a different site would not include cookies.
This pattern is used for sites that may redirect the user out to a remote service to perform some operation before returning, for example redirecting to a third-party identity provider. Before the user leaves the site, a cookie is set containing a single use token with the expectation that this token can be checked on the returning request to mitigate attacks. If that returning request comes via POST then it will be necessary to mark the cookies as SameSite=None; Secure.
Remote Resources:
A cookie to be sent over a on-page request (no redirects): <img>, <script/>, or AJAX(withCredential for XMLHttpRequest; credentails: 'include' for fetch())
Content within a WebView:
Remember to add SameSite=None; Secure because most of the reqeust are from JS
Solution:
```
Set-cookie: 3partycookie=value; SameSite=None; Secure
Set-cookie: 3partycookie-legacy=value; Secure
```
Ref:

Same-site cookie

TL;DR

Same-site cookie

TL;DR