SameSite cookies aren't sent on credentialed CORS requests #769
Since CORS is to enable SOP bypass, cookies are expected to be sent along as long as the request is permitted. And, CORS does have the policy to only allow credential requests.
Currently, even if a site explicitly allows credentialed CORS requests from 3rd domains, SameSite cookies aren't sent. This might break some sites if only authenticated requests are served.
Since CORS is a opt-in mechanism, it would be nice to act as the policy says. If it allows credentialed requests, SameSite cookies should be sent as well.
The text was updated successfully, but these errors were encountered:
I just got bit by this and spent a lot of time understanding what the issue was :|
I understand now the purpose of the
Is there anything you would recommend on this situation?
One possible workaround is to use two authentication cookies, one regular and one marked as
Yes, the part of your site which expects to respond to CORS requests could still be vulnerable to CSRF. But requests to this part of your site will be made in
What if there was an additional SameSite mode between none and lax, which meant that cross-site requests are allowed to send the cookie, provided that the domain of the origin is "allowed". Where "allowed" could either mean matching a whitelist specified in another cookie directive (or part of the SameSite directive), or by making a mandatory preflight to check cors headers.
If you squint a bit, this is more or less what I proposed in https://tools.ietf.org/html/draft-west-cookie-samesite-firstparty. Given our experience thus far with changing
Kind of. Except that it depends on "First party sets" which can only be defined once for the entire site. Whereas my proposal allows more granular control over which domains are allowed to make requests containing each cookie.