CSRF

samesite vs sameorigin

LogoThe great SameSite confusion
LogoBypassing SameSite cookie restrictions | Web Security AcademyWebSecAcademy

from mozilla

The possible attribute values are:

Strict

Send the cookie only for requests originating from the same site that set the cookie.

Lax

Send the cookie only for requests originating from the same site that set the cookie, and for cross-site requests that meet both of the following criteria:

  • The request is a top-level navigation: this essentially means that the request causes the URL shown in the browser's address bar to change.

    • This would exclude, for example, requests made using the fetch() API, or requests for subresources from <img> or <script> elements, or navigations inside <iframe> elements.

    • It would include requests made when the user clicks a link in the top-level browsing context from one site to another, or an assignment to document.location, or a <form> submission.

  • The request uses a safe method: in particular, this excludes POST, PUT, and DELETE.

Some browsers use Lax as the default value if SameSite is not specified: see Browser compatibility for details.

Note: When Lax is applied as a default, a more permissive version is used. In this more permissive version, cookies are also included in POST requests, as long as they were set no more than two minutes before the request was made.

None

Send the cookie with both cross-site and same-site requests. The Secure attribute must also be set when using this value.

PreviousCORSNextCross site web socket hijacking

Last updated