Same-site cookie

Same-site cookie

TL;DR

Set-cookie: 3partycookie=value; SameSite=None; Secure to fix third party cookie break.

Quick Refresher

Set-Cookie allows server set a cookie in browser by http response.

Cookie header will be send back to server

document.cookie enables J to modify cookies

Cookie lives under browser context and could be consume whenever the page load resource from the domain

first-party cookie: set by current domain, same domain in url bar

third party cookie: set by other domain, it is used if a user want to

CSRF(Cross-Site Request Forgery): Because cookie is attached to header no matter who send it

SameSite

  • Strict cookie only used in first-party-page

  • Lax if user follows a first-party-link on the third-party-page, the cookie will be sent.

What will happen

  • Introducing network.cookie.sameSite.laxByDefault

  • SameSite=None MUST be Secure

    Always explicitly set SameSite

    Use cases:

    In <iframe/>:

    • Embedded content shared from other sites, such as videos, maps, code samples, and social posts.

    • Widgets from external services such as payments, calendars, booking, and reservation functionality.

    • Widgets such as social buttons or anti-fraud services that create less obvious <iframe/>.

    "Unsafe" requests across sites:

    When redirecting pages.

    While "unsafe" may sound slightly concerning here, this refers to any request that may be intended to change state. On the web that's primarily POST requests. Cookies marked as SameSite=Lax will be sent on safe top-level navigations, e.g. clicking a link to go to a different site. However something like a ` submission via POST to a different site would not include cookies.

    This pattern is used for sites that may redirect the user out to a remote service to perform some operation before returning, for example redirecting to a third-party identity provider. Before the user leaves the site, a cookie is set containing a single use token with the expectation that this token can be checked on the returning request to mitigate Cross Site Request Forgery (CSRF) attacks. If that returning request comes via POST then it will be necessary to mark the cookies as SameSite=None; Secure.

    Remote Resources:

    A cookie to be sent over a on-page request (no redirects): <img>, <script/>, or AJAX(withCredential for XMLHttpRequest; credentails: 'include' for fetch())

    Content within a WebView:

    Remember to add SameSite=None; Secure because most of the request are from JS

    Solution:

    Set-cookie: 3partycookie=value; SameSite=None; Secure
Set-cookie: 3partycookie-legacy=value; Secure

    Ref: https://github.com/GoogleChromeLabs/samesite-examples

PreviousAbout Micro FrontEndNextThoughts

Last updated