6

SameSite cookies

 3 years ago
source link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

SameSite cookies

The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.

Standards related to the Cookie SameSite attribute recently changed such that:

  • The cookie-sending behaviour if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests.
  • Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).

This article documents the new standard. See Browser Compatibility below for information about specific versions where the behaviour changed.

Values

The SameSite attribute accepts three values:

Lax

Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e. when following a link).

This is the default cookie value if SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).

Lax replaced None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

Strict

Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

None

Cookies will be sent in all contexts, i.e in responses to both first-party and cross-origin requests.If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).

Fixing common warnings

SameSite=None requires Secure

Warnings like the ones below might appear in your console:

Cookie “myCookie” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute.

This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".

The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected.

Set-Cookie: flavor=choco; SameSite=None

To fix this, you will have to add the Secure attribute to your SameSite=None cookies.

Set-Cookie: flavor=choco; SameSite=None; Secure

A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (http:) can't set cookies with the Secure directive.

On older browser versions you might simply get a warning that the cookie will be blocked in future. For example:

Cookie “myCookie” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite” attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Cookies without SameSite default to SameSite=Lax

Recent versions of modern browsers provide a more secure default for SameSite to your cookies and so the following message might appear in your console:

Cookie “myCookie” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.

The warning appears because the SameSite policy for a cookie was not explicitly specified:

Set-Cookie: flavor=choco

You should explicitly communicate the intended SameSite policy for your cookie (rather than relying on browsers to apply SameSite=Lax automatically). This will also improve the experience across browsers as not all of them default to Lax yet.

Set-Cookie: flavor=choco; SameSite=Lax

Example:

RewriteEngine on
RewriteBase "/"
RewriteCond "%{HTTP_HOST}"       "^example\.org$" [NC]
RewriteRule "^(.*)"              "https://www.example.org/index.html" [R=301,L,QSA]
RewriteRule "^(.*)\.ht$"         "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;01;https://www.example.org;30/;SameSite=None;Secure]
RewriteRule "^(.*)\.htm$"        "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;02;https://www.example.org;30/;SameSite=None;Secure]
RewriteRule "^(.*)\.html$"       "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;03;https://www.example.org;30/;SameSite=None;Secure]
[...]
RewriteRule "^admin/(.*)\.html$" "admin/index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;09;https://www.example.org:30/;SameSite=Strict;Secure]

Specifications

Specification Title RFC 6265, section 4.1: Set-Cookie HTTP State Management Mechanism draft-ietf-httpbis-rfc6265bis-05 Cookie Prefixes, Same-Site Cookies, and Strict Secure Cookies

Browser compatibility

Report problems with this data on GitHub
Set-Cookie
ChromeFull supportYesEdgeFull support12FirefoxFull supportYesInternet ExplorerFull supportYesOperaFull supportYesSafariFull supportYesWebView AndroidFull supportYesChrome AndroidFull supportYesFirefox AndroidFull supportYesOpera AndroidFull supportYesiOS SafariFull supportYesSamsung InternetFull supportYes
HttpOnly
ChromeFull support1EdgeFull support12FirefoxFull support3Internet ExplorerFull support9OperaFull support11SafariFull support5WebView AndroidFull support37Chrome AndroidFull supportYesFirefox AndroidFull support4Opera AndroidFull supportYesiOS SafariFull support4Samsung InternetFull supportYes
Max-Age
ChromeFull supportYesEdgeFull support12FirefoxFull supportYesInternet ExplorerFull support8OperaFull supportYesSafariFull supportYesWebView AndroidFull supportYesChrome AndroidFull supportYesFirefox AndroidFull supportYesOpera AndroidFull supportYesiOS SafariFull supportYesSamsung InternetFull supportYes
SameSite
ChromeFull support51EdgeFull support16FirefoxFull support60Internet ExplorerNo supportNoOperaFull support39SafariFull support13
footnote
WebView AndroidFull support51Chrome AndroidFull support51Firefox AndroidFull support60Opera AndroidFull support41iOS SafariFull support13Samsung InternetFull support5.0
SameSite=Lax
ChromeFull support51EdgeFull support16FirefoxFull support60Internet ExplorerNo supportNoOperaFull support39SafariFull support12WebView AndroidFull support51Chrome AndroidFull support51Firefox AndroidFull support60Opera AndroidFull support41iOS SafariFull support12.2Samsung InternetFull support5.0
Defaults to Lax
ChromeFull support80EdgeFull support80FirefoxFull support69
disabled
Internet ExplorerNo supportNoOperaFull support67SafariNo supportNoWebView AndroidFull support80Chrome AndroidFull support80Firefox AndroidNo supportNoOpera AndroidNo supportNoiOS SafariNo supportNoSamsung InternetNo supportNo
SameSite=None
ChromeFull support51EdgeFull support16FirefoxFull support60Internet ExplorerNo supportNoOperaFull support39SafariFull support13
footnote
WebView AndroidFull support51Chrome AndroidFull support51Firefox AndroidFull support60Opera AndroidFull support41iOS SafariFull support13Samsung InternetFull support5.0
SameSite=Strict
ChromeFull support51EdgeFull support16FirefoxFull support60Internet ExplorerNo supportNoOperaFull support39SafariFull support12WebView AndroidFull support51Chrome AndroidFull support51Firefox AndroidFull support60Opera AndroidFull support41iOS SafariFull support12.2Samsung InternetFull support5.0
Secure context required
ChromeFull support80EdgeFull support80FirefoxFull support69
disabled
Internet ExplorerNo supportNoOperaFull support67SafariNo supportNoWebView AndroidFull support80Chrome AndroidFull support80Firefox AndroidNo supportNoOpera AndroidNo supportNoiOS SafariNo supportNoSamsung InternetNo supportNo
Cookie prefixes
ChromeFull support49EdgeFull support79FirefoxFull support50Internet ExplorerNo supportNoOperaFull support36SafariFull supportYesWebView AndroidFull support49Chrome AndroidFull support49Firefox AndroidFull support50Opera AndroidFull support36iOS SafariFull supportYesSamsung InternetFull support5.0

Legend

Full supportFull support
Partial supportPartial support
No supportNo support
See implementation notes.
User must explicitly enable this feature.

See also


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK