Skip to content

Commit

Permalink
SameSite cookie changes (#125)
Browse files Browse the repository at this point in the history
* Update same-site-cookies.md

* Update same-site-cookies.md

* Update same-site-cookies.md

* Update same-site-cookies.md

* Add SameSite cookies in Strict mode

* Add comment about document.cookie

* Update same-site-cookies.md

* in contrast to Strict mode

* remove hint

* Removed most of it.

* Update content/docs/defenses/opt-in/same-site-cookies.md

Co-authored-by: terjanq <terjanq@users.noreply.github.com>

* Update same-site-cookies.md

* Update navigations.md

* unnecessary addition already mentioned

* Fix the hint box

Co-authored-by: terjanq <terjanq@users.noreply.github.com>
  • Loading branch information
NDevTK and terjanq committed Nov 5, 2021
1 parent b45e9bb commit 528243e
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
2 changes: 1 addition & 1 deletion content/docs/attacks/navigations.md
Expand Up @@ -236,7 +236,7 @@ await ifCached_window("https://example.org");

____
1. Neither [COOP]({{< ref "/docs/defenses/opt-in/coop.md" >}}) nor [Framing Protections]({{< ref "/docs/defenses/opt-in/xfo.md" >}}) helps with the mitigation of the redirect leaks because when the header `Content-Disposition` is present, other headers are being ignored.
2. SameSite cookies in Lax mode could protect against iframing a website, but won't help with the leaks through window references or involving server-side redirects.
2. SameSite cookies in Lax mode could protect against iframing a website, but won't help with the leaks through window references or involving server-side redirects, in contrast to Strict mode.

## Real-World Examples

Expand Down
11 changes: 9 additions & 2 deletions content/docs/defenses/opt-in/same-site-cookies.md
Expand Up @@ -24,13 +24,20 @@ The following SameSite cookie modes are available:

* `Strict` – Causes the browser to not include cookies in any cross-site requests. This means `<script src="example.com/resource">`, `<img src="example.com/resource">`, `fetch()`, and `XHR` will all make requests without the SameSite `Strict` cookies attached. Even if the user clicks on a link to `example.com/resource`, their cookies are not included.

* `Lax` – The only difference between `Lax` and `Strict` is that `Lax` mode allows cookies to be added to requests triggered by top-level navigations. This makes `Lax` cookies much easier to deploy since they won't break incoming links to your application. Unfortunately, an attacker can trigger a top-level navigation via `window.open` that allows the attacker to maintain a reference to the `window` object.
* `Lax` – The only difference between `Lax` and `Strict` is that `Lax` mode allows cookies to be added to requests triggered by cross-site top-level navigations. This makes `Lax` cookies much easier to deploy since they won't break incoming links to your application. Unfortunately, an attacker can trigger a top-level navigation via `window.open` that allows the attacker to maintain a reference to the `window` object.

## Considerations

`Strict` cookies provide the strongest security guarantees, but it can be very difficult to deploy `Strict` same-site cookies in an existing application.

SameSite cookies are neither bulletproof [^2] nor can they fix everything. To complement this defense strategy against XS-Leaks, applications should consider implementing other, additional protections. For example, [COOP]({{< ref "coop.md" >}}) can prevent an attacker from controlling pages using a `window` reference even if SameSite cookies in `Lax` mode are used.
SameSite cookies are neither bulletproof [^2] nor can they fix everything. To complement this defense strategy against XS-Leaks, applications should consider implementing other, additional protections. For example, [COOP]({{< ref "coop.md" >}}) can prevent an attacker from controlling pages using a `window` reference after the first navigation even if SameSite cookies in `Lax` mode are used.

{{< hint important >}}
Some browers may not use the default of Lax, So explicitly set the SameSite attrbute to ensure its enforced.
By default, cookies in Chrome without `SameSite` attribute will default to `Lax` mode. However, there is an exception for that behavior for cookies set less than 2 minutes ago that are sent via POST requests. [^3]

[^3]: Cookies default to SameSite=Lax, [link](https://www.chromestatus.com/feature/5088147346030592)
{{< /hint >}}

## Deployment

Expand Down

0 comments on commit 528243e

Please sign in to comment.