Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional developer warnings for SameSite cookies #2758

Merged
merged 4 commits into from
Mar 18, 2024
Merged

Add additional developer warnings for SameSite cookies #2758

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
48e9ae1
Add additional developer warnings for SameSite cookies
sbingler Mar 12, 2024
6f20ed7
Add to changelog
sbingler Mar 12, 2024
716b7d0
Merge branch 'main' into DeveloperWarnings
sbingler Mar 18, 2024
ddf3f55
Remove whitespace
sbingler Mar 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion draft-ietf-httpbis-rfc6265bis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2276,7 +2276,16 @@ security properties required by applications.
strict mode, and when supported by the client. It is, however, prudent to ensure
that this designation is not the extent of a site's defense against CSRF, as
same-site navigations and submissions can certainly be executed in conjunction
with other attack vectors such as cross-site scripting.
with other attack vectors such as cross-site scripting or abuse of page
redirections.
sbingler marked this conversation as resolved.
Show resolved Hide resolved

Understanding how and when a request is considered same-site is also important
in order to properly design a site for SameSite cookies. For example, if a
top-level request is made to a sensitive page that request will be considered
mikewest marked this conversation as resolved.
Show resolved Hide resolved
cross-site and SameSite cookies won’t be sent; that page’s sub-resources
requests, however, are same-site and would receive SameSite cookies. Sites can
avoid inadvertently allowing access to these sub-resources by returning an error
for the initial page request if it doesn’t include the appropriate cookies.

Developers are strongly encouraged to deploy the usual server-side defenses
(CSRF tokens, ensuring that "safe" HTTP methods are idempotent, etc) to mitigate
Expand Down Expand Up @@ -2366,6 +2375,11 @@ reload navigation triggered through the user interface may replay the original
(potentially malicious) request. Thus, the reload request should be considered
cross-site, like the request that initially navigated to the page.

Because requests issued for, non-user initiated, reloads attach all SameSite
cookies, developers should be careful and thoughtful about when to initiate a
reload in order to avoid a CSRF attack. For example, the page could only
initiate a reload if a CSRF token is present on the initial request.

### Top-level requests with "unsafe" methods {#unsafe-top-level-requests}

The "Lax" enforcement mode described in {{strict-lax}} allows a cookie to be
Expand Down Expand Up @@ -2700,6 +2714,9 @@ The "Cookie Attribute Registry" should be created with the registrations below:
* Refactor cookie header text
<https://github.com/httpwg/http-extensions/pull/2753>

* Add additional developer warnings for SameSite cookies
<https://github.com/httpwg/http-extensions/pull/2758>


# Acknowledgements
{:numbered="false"}
Expand Down
Loading