Menu
I need some help understanding a case which I can not find described in material I have found describing the new SameSite restrictions for Chrome. Currently, I have a case where I have a site hosted which makes cross-site requests to an API. The API responds with CORS headers. The details are:
Site: https://a.a.com
API: https://b.a.com
--API response headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://a.a.com
--cookie previously set with
Set-Cookie: value=somevalue; Path=/; Expires=<some time/date>; HttpOnly
I don't expect the CORS headers to impact anything (based on everything I have seen it never mentions the SameSite changes) but I am putting them here anyways. Given this scenario and when I set the flags at:
chrome://flags/#same-site-by-default-cookies
chrome://flags/#cookies-without-same-site-must-be-secure
I would expect the browser to block the sending of the cookie value. This being because I would expect the cookie to be treated as if it had SameSite=Lax and that these are cross-site requests. This is not what actually happens and the cookie is sent successfully. When testing this, I also tried waiting 3 minutes between any requests and a POST request to avoid the "Lax+POST" mitigation as we set the cookie (with updated expiration) on every response. Based on what I am reading about the changes, I don't understand why the sending of this cookie is not blocked by the browser and why these requests succeed.
To make things more confusing, we have some cases during development with the following scenario:
Site: http://localhost
API: https://a.b.com
--API response headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost
--cookie previously set with
Set-Cookie: value=somevalue; Path=/; Expires=<some time/date>; HttpOnly
Unlike the first scenario described, these requests actually block the cookie from being sent as expected (only when new chrome flags are enabled). The warning message the browser gives is related to SameSite and Secure flags as I would expect.
Can someone help me understand why the first scenario is working yet the second is not? My concern is that it working is actually a bug and it shouldn't. If this is the case, it may be possible that in the future it might, without warning, go from "working" to "failing".
Details of the Chrome changes/flags I found are here:
730
Fixing common warnings The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.
Q: What are the new SameSite changes? Chrome is changing the default behavior for how cookies will be sent in first and third party contexts. Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax , i.e. they will be restricted to first-party or same-site contexts by default.
Go to chrome://flags/ then search cookies in the search box, there should be 4 options. Check Enable removing SameSite=None cookies and Consider SameParty cookies to be first-party sections.
as mentioned here https://web.dev/samesite-cookies-explained/:
If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request.
Same as your first case:
Site: https://a.a.com
API: https://b.a.com
So the browser considers your first request as a same-site request and cookies won't be removed, but the second one is a cross-site request and cookies without samesite attribute will be removed.
124
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
