Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Confusion regarding SameSite changes with Chrome

I need some help understanding a case which I can not find described in material I have found describing the new SameSite restrictions for Chrome. Currently, I have a case where I have a site hosted which makes cross-site requests to an API. The API responds with CORS headers. The details are:

Site: https://a.a.com
API: https://b.a.com

--API response headers

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://a.a.com

--cookie previously set with

Set-Cookie: value=somevalue; Path=/; Expires=<some time/date>; HttpOnly 

I don't expect the CORS headers to impact anything (based on everything I have seen it never mentions the SameSite changes) but I am putting them here anyways. Given this scenario and when I set the flags at:

chrome://flags/#same-site-by-default-cookies
chrome://flags/#cookies-without-same-site-must-be-secure 

I would expect the browser to block the sending of the cookie value. This being because I would expect the cookie to be treated as if it had SameSite=Lax and that these are cross-site requests. This is not what actually happens and the cookie is sent successfully. When testing this, I also tried waiting 3 minutes between any requests and a POST request to avoid the "Lax+POST" mitigation as we set the cookie (with updated expiration) on every response. Based on what I am reading about the changes, I don't understand why the sending of this cookie is not blocked by the browser and why these requests succeed.

To make things more confusing, we have some cases during development with the following scenario:

Site: http://localhost
API: https://a.b.com

--API response headers

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost

--cookie previously set with

Set-Cookie: value=somevalue; Path=/; Expires=<some time/date>; HttpOnly 

Unlike the first scenario described, these requests actually block the cookie from being sent as expected (only when new chrome flags are enabled). The warning message the browser gives is related to SameSite and Secure flags as I would expect.

Can someone help me understand why the first scenario is working yet the second is not? My concern is that it working is actually a bug and it shouldn't. If this is the case, it may be possible that in the future it might, without warning, go from "working" to "failing".

Details of the Chrome changes/flags I found are here:

  • https://www.chromestatus.com/feature/5633521622188032
  • https://www.chromium.org/updates/same-site
  • https://web.dev/samesite-cookies-explained/
like image 730
Goblinlord Avatar asked Mar 20 '20 03:03

Goblinlord


People also ask

How do I fix the SameSite cookie in Chrome?

Fixing common warnings The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.

How do I change the properties of the SameSite in Chrome?

Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.

What happened to SameSite by default cookies?

Q: What are the new SameSite changes? Chrome is changing the default behavior for how cookies will be sent in first and third party contexts. Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax , i.e. they will be restricted to first-party or same-site contexts by default.

How do I get rid of SameSite by default cookies in Chrome 94?

Go to chrome://flags/ then search cookies in the search box, there should be 4 options. Check Enable removing SameSite=None cookies and Consider SameParty cookies to be first-party sections.


1 Answers

as mentioned here https://web.dev/samesite-cookies-explained/:

If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request.

Same as your first case:

Site: https://a.a.com
API: https://b.a.com

So the browser considers your first request as a same-site request and cookies won't be removed, but the second one is a cross-site request and cookies without samesite attribute will be removed.

like image 124
melbx Avatar answered Oct 19 '22 21:10

melbx