2020-10-11 17:02:09
SameSite is already hereWere you surprised when your cross-domain attack didn't work? Meet the new reality with SameSite Cookies.
From August Chrome update:
Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax.
Now Chrome and Safari recognize Cookies without the SameSite attribute as
SameSite=Lax by default.
Remind you about SameSite attribute values:
Samesite=LaxAllows the cookie to be sent on some cross-site requests.
[top-level navigation+GET/HEAD)
Samesite=StrictNever allows the cookie to be sent on a cross-site request. Only when the user types the website in the URL bar and presses enter.
Samesite=NoneCookies will be sent in all contexts (like before)
You will not be able to exploit the following vulnerabilities in Chrome and Safari without
SameSite=None:
> CSRF
> CORS misconfiguration
> XSLeaks
> XSS via POST
> Cross-Site Script Inclusion
> Clickjacking
> JSONP leaks
> WebSocket Hijacking
#Web #Cookies #SameSite
1.3K views14:02