SKIP TO MAIN
-- views

Understanding SameSite Cookies

May 10, 2024

A cookie is a chunk of data stored in the browser that is used to persist state and other information a website needs to execute later on.

SameSite cookies help protect your data when you're browsing the web. They work by controlling how your browsing information, stored in cookies, can be used across different websites. However, this can sometimes lead to security vulnerabilities, such as cross-site request forgery (CSRF) attacks or cross-site scripting (XSS) attacks.

The difference between a site and an origin#

Two URLs are considered to have the same origin if they share the exact scheme, domain name, and port

the difference between a site and an origin

the term "site" is much less specific as it only accounts for the scheme and the last part of the domain name. this means that a cross-origin request can be same-site, but not the other way around.

The public suffix list defines what pages count as being on the same site. It doesn't just depend on top-level domains; therefore, services like github.io make x.github.io and y.github.io count as separate sites.

What Are SameSite Cookies?#

SameSite cookies are special tags attached to cookies that tell your web browser when it's okay to share your browsing data with other websites. There are three main types:

  • Strict: cookies with the SameSite attribute set to "Strict" will not be sent in cross-origin requests.

    • if there's an image on your website page with its source set to a different domain, the cookie won't be sent along with the request for that image because it's a cross-origin request. This prevents potential security vulnerabilities.
  • Lax: cookies with the SameSite attribute set to "Strict" Lax be sent with cross-origin "GET" request.

    • when you click on a link within your website page to view a cross-origin page, your browser sends the cookie with the request because it's a cross-origin "GET" request.
<p>Look at this amazing cat!</p>
<img src="https://i.ibb.co/rmcKqBB/amazing-cat.jpg" />
<p>See the <a href="https://ibb.co/R9BGtXX">Amazing Cat</a>.</p>
  • None: This setting is like giving your cookies a passport to travel anywhere. They can go with you to other websites, which can raise some security concerns.

    • When you interact with elements on the page, like submitting a form, your browser sends the cookie with the request regardless of the origin of the request.

Warning: Browsers are restricting third-party cookie usage. If you have set SameSite=None on your cookies in the past you will need to take additional action. Learn how to prepare for third-party cookie restrictions.

References#

GET IN TOUCH

Let’s work together

I build exceptional and accessible digital experiences for the web

WRITE AN EMAIL