SameSite is already here Were you surprised when your cross-d | Hack3rScr0lls
SameSite is already here
Were you surprised when your cross-domain attack didn't work? Meet the new reality with SameSite Cookies.
From August Chrome update: Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax.
Now Chrome and Safari recognize Cookies without the SameSite attribute as SameSite=Lax by default.
Remind you about SameSite attribute values:
Samesite=Lax Allows the cookie to be sent on some cross-site requests. [top-level navigation+GET/HEAD)
Samesite=Strict Never allows the cookie to be sent on a cross-site request. Only when the user types the website in the URL bar and presses enter.
Samesite=None Cookies will be sent in all contexts (like before)
You will not be able to exploit the following vulnerabilities in Chrome and Safari without SameSite=None: > CSRF > CORS misconfiguration > XSLeaks > XSS via POST > Cross-Site Script Inclusion > Clickjacking > JSONP leaks > WebSocket Hijacking