Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cookies without "SameSite" attribute are sent on different sub domains

Tags:

google-chrome

cookies

samesite

So I've read about Chrome 80's cookies defaulting to SameSite=Lax and like the rest of you, I'm now trying to mesure the impact this will have on my site.

The site I'm running is split on several sub-domains and each of them uses their own cookie. It looks like this:

  • first-site.domain.com uses Cookie1 (path=/; secure; httponly)
  • second-site.domain.com uses Cookie2 (path=/; secure; httponly)

Since these cookies do not specify the SameSite attribute, they are supposed to be treated as Lax on Chrome 80 and therefore should be limited to same-site requests (unless it's a top level navigation).

Then, according to SameSite cookies explained:

If the user is on your-project.github.io and requests an image from my-project.github.io that's a cross-site request.

So when I enabled the “SameSite by default cookies” and “Cookies without SameSite must be secure” flags, I was surprised to observe that when first-site.domain.com embeds second-site.domain.com in a frame, Cookie2 was still being sent to second-site.domain.com, which seems contradictory.

Surely I must have misunderstood something, but at the moment, I'm still puzzled.

Note: I've verified that when I embed second-site.domain.com in a frame on anotherdomain.com, the cookies are not sent by the browser (as expected).

like image 888
Gyum Fox Avatar asked Dec 23 '22 19:12

Gyum Fox

1 Answers

If "domain.com" is on the public suffix list, then subdomain1.domain.com and subdomain2.domain.com are considered different sites. Otherwise, they are considered the same site.

The relevant notion of "site" when it comes to SameSite cookies is the eTLD+1 (effective Top Level Domain + 1 label). An effective Top Level Domain is something like .com or .co.uk or .github.io. All the eTLD's are listed on the public suffix list.

An eTLD+1 is the effective Top Level Domain plus the 1 label immediately to its left. The eTLD+1 is also called the "registrable domain". The intuition is that two different eTLD+1's are controlled by different entities, and everything that is a subdomain of the same eTLD+1 is controlled by the same entity. For example, mysite.github.io is a different eTLD+1 than yoursite.github.io, because I cannot modify your site, and you can't modify mine. On the other hand, the same company owns both subdomain1.domain.com and subdomain2.domain.com and modify both sites.

If the eTLD+1's are the same for two domain names, they are considered the same site for the purposes of SameSite cookies.

like image 194
chlily Avatar answered Feb 08 '23 22:02

chlily
Sign in to Comment

Related questions

IE 11 displays CSS differently from other browsers
angular js input date on firefox
Can't open Angular app using file protocol in Chrome
CSS Animation works in Chrome, but not in FireFox
google font not displayed in Chrome
Is there a way set a break-point (eg. when named function is called) programatically?
Chrome extension API for intercepting/modifying websockets UA
How to edit/reset Chrome DevTools settings manually on disk?
Chrome Extension: How to create context menu with custom name, instead of plugin name
URL-embedded credentials
CSS Box shadow doesn't appear in Chrome
Chrome Inspect - close preview frame
Adobe Flash in Selenium, Chrome 54.0.2840.59-1: "This plugin is not supported"
Find version of Chrome browser in registry
Use Google Chrome Puppeteer
How can we use local Chrome's cookies to login using Selenium?
Increase Maximum body size for the fetch api in chrome
Fixed and always on top popup window in a Chrome extension
Allow Flash content in Chrome 71 running via chromedriver
Can I mock the response of my request in chrome dev tool?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!