What are the security differences between cookies with Domain vs SameSite strict?

Question

When we create a cookie we can specify where it's being used by setting the domain attribute.

Set-Cookie: Foo=bar; Path=/; Secure; Domain=baz.qux.com;

The cookie above will be used along only with requests to the domain baz.qux.com.

Set-Cookie: Foo=bar; Path=/; Secure; SameSite=strict;

The cookie above omits the domain attribute, which means the domain where the cookie was set will be used (subdomains excluded, exception for IE). It also has the attribute SameSite=strict, which means:

SameSite cookies let servers require that a cookie shouldn't be sent with cross-site (where Site is defined by the registrable domain) requests, which provides some protection against cross-site request forgery attacks (CSRF).

from MDN

What are the differences in behaviour between these two cookies if both were set on the domain baz.qux.com?

How does the SameSite=strict attribute protect against CSRF that the other cookie with specified domain does not?

Answer 1

The Domain attribute restricts the hosts that the cookie will be sent to. The SameSite attribute restricts the origins from which the cookie may be sent.

So the first cookie:

Set-Cookie: Foo=bar; Path=/; Secure; Domain=baz.qux.com;

can be sent to baz.qux.com or any of its subdomains, regardless of the requests origin (i.e. whether sent from webpage hosted at baz.qux.com or foo.example.com)

The second cookie:

Set-Cookie: Foo=bar; Path=/; Secure; SameSite=strict;

can only be sent to baz.qux.com (since no domain specified, and ignoring IE exception,) and only when the request originates from the qux.com site (i.e it won't be sent for cross-site requests.)

This helps prevent CSRF by preventing random web sites (hacker.example.com) from performing authenticated requests to third-parties (baz.qux.com) that include session cookies.