Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cookies without "SameSite" attribute are sent on different sub domains

So I've read about Chrome 80's cookies defaulting to SameSite=Lax and like the rest of you, I'm now trying to mesure the impact this will have on my site.

The site I'm running is split on several sub-domains and each of them uses their own cookie. It looks like this:

  • first-site.domain.com uses Cookie1 (path=/; secure; httponly)
  • second-site.domain.com uses Cookie2 (path=/; secure; httponly)

Since these cookies do not specify the SameSite attribute, they are supposed to be treated as Lax on Chrome 80 and therefore should be limited to same-site requests (unless it's a top level navigation).

Then, according to SameSite cookies explained:

If the user is on your-project.github.io and requests an image from my-project.github.io that's a cross-site request.

So when I enabled the “SameSite by default cookies” and “Cookies without SameSite must be secure” flags, I was surprised to observe that when first-site.domain.com embeds second-site.domain.com in a frame, Cookie2 was still being sent to second-site.domain.com, which seems contradictory.

Surely I must have misunderstood something, but at the moment, I'm still puzzled.

Note: I've verified that when I embed second-site.domain.com in a frame on anotherdomain.com, the cookies are not sent by the browser (as expected).

like image 888
Gyum Fox Avatar asked Dec 23 '22 19:12

Gyum Fox


1 Answers

If "domain.com" is on the public suffix list, then subdomain1.domain.com and subdomain2.domain.com are considered different sites. Otherwise, they are considered the same site.

The relevant notion of "site" when it comes to SameSite cookies is the eTLD+1 (effective Top Level Domain + 1 label). An effective Top Level Domain is something like .com or .co.uk or .github.io. All the eTLD's are listed on the public suffix list.

An eTLD+1 is the effective Top Level Domain plus the 1 label immediately to its left. The eTLD+1 is also called the "registrable domain". The intuition is that two different eTLD+1's are controlled by different entities, and everything that is a subdomain of the same eTLD+1 is controlled by the same entity. For example, mysite.github.io is a different eTLD+1 than yoursite.github.io, because I cannot modify your site, and you can't modify mine. On the other hand, the same company owns both subdomain1.domain.com and subdomain2.domain.com and modify both sites.

If the eTLD+1's are the same for two domain names, they are considered the same site for the purposes of SameSite cookies.

like image 194
chlily Avatar answered Feb 08 '23 22:02

chlily