🔏
roguebook
  • group
    • Web
      • Concepts
      • OAuth 2.0
      • File upload
      • API testing
      • Web Cache Decpetion
      • CORS
      • CSRF
      • Cross site web socket hijacking
      • XS-Leaks
    • Bug Bounty
      • Recon
        • Dorking
          • SSL Checker
        • Wordlists
          • Twitter wordlist suggestions
      • Tips & Tricks
        • Combined
        • CSP Bypasses & open redirect
        • 403 Bypass
        • Arrays in JSON
        • Open Redirect
        • Next.js Application
        • Locla File Read
        • External Link
        • xss bypass
        • CSRF cors bypass
      • Talks/Interviews/Podcasts
        • Bug Bounty Talks
        • Podcasts
          • Critical Thinking - Bug Bounty Podcast
            • Learning
      • Tools
    • Android
      • Getting Started
      • Intent Attack Surface
      • Broadcast Receivers
      • Android Permissions
      • Android Services
      • Content and FileProvider
      • WebView & CustomTabs
      • Insecure Storage
      • Tips & Tricks
    • Thick Client
      • Lab Setup
      • Information Gathering
      • Traffic analysis
      • Insecure Data storage
      • Input validation
      • DLL hijacking
      • Forensics
      • Extra resources
    • OSINT
      • OpSec
    • Malware Analysis
      • Lab Setup
      • Networking
      • Tools
      • Malware source
      • Basic Static Analysis
      • Basic Dynamic Analysis
      • Advanced Analysis
      • Advanced Static Analysis
      • Advanced Dynamic Analysis
    • Malware Development
    • Blue Team
      • Tools
      • Malware Analysis
        • Basic Static Analysis
    • Binary Exploitation
      • Assembly
    • Infographics
    • Malware Analysis
Powered by GitBook
On this page
  1. group
  2. Web

CSRF

PreviousCORSNextCross site web socket hijacking

Last updated 6 days ago

samesite vs sameorigin

from mozilla

The possible attribute values are:

  • The request is a top-level navigation: this essentially means that the request causes the URL shown in the browser's address bar to change.

Send the cookie with both cross-site and same-site requests. The Secure attribute must also be set when using this value.

Send the cookie only for requests originating from the same that set the cookie.

Send the cookie only for requests originating from the same that set the cookie, and for cross-site requests that meet both of the following criteria:

This would exclude, for example, requests made using the API, or requests for subresources from or elements, or navigations inside elements.

It would include requests made when the user clicks a link in the top-level browsing context from one site to another, or an assignment to , or a submission.

The request uses a method: in particular, this excludes , , and .

Some browsers use Lax as the default value if SameSite is not specified: see for details.

Note: When Lax is applied as a default, a more permissive version is used. In this more permissive version, cookies are also included in requests, as long as they were set no more than two minutes before the request was made.

Strict
site
Lax
site
fetch()
<img>
<script>
<iframe>
document.location
<form>
safe
POST
PUT
DELETE
Browser compatibility
POST
None
LogoThe great SameSite confusion
LogoBypassing SameSite cookie restrictions | Web Security AcademyWebSecAcademy