Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is difference between SameSite="Lax" and SameSite="Strict"?

Tags:

samesite

Can anyone tell me what is the difference between SameSite="Lax" and SameSite="Strict" by a nice example as I am a bit confused between these two?

like image 800
Simant Avatar asked Jan 30 '20 16:01

Simant

People also ask

What is SameSite LAX?

Overview. SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are none , lax , or strict .

Why does LAX have SameSite?

The “Lax” value in SameSite is a more relaxed form of cross-site request protection. With this setting, your web browser will allow most cross-domain cookie-sharing so long as these originate from a top-level GET request.

What is strict and SameSite enforcement?

Cookies set with SameSite=Strict restricts cross-site sharing entirely, even between different domains owned by the same publisher. Chrome has a setting under "chrome://flags" that checks the SameSite attribute on the site's cookies: #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure.

What does lax mean in cookies?

Lax. Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).

1 Answers

Lax allows the cookie to be sent on some cross-site requests, whereas Strict never allows the cookie to be sent on a cross-site request.

The situations in which Lax cookies can be sent cross-site must satisfy both of the following:

  1. The request must be a top-level navigation. You can think of this as equivalent to when the URL shown in the URL bar changes, e.g. a user clicking on a link to go to another site.
  2. The request method must be safe (e.g. GET or HEAD, but not POST).

For example:

  1. Let's say a user is on site-a.com and clicks on a link to go to site-b.com. This is a cross-site request. This is a top-level navigation and is a GET request, so Lax cookies are sent to site-b.com. However, Strict cookies are not sent because it is, after all, a cross-site request.
  2. The user is on site-a.com and there is an iframe in which site-b.com is loaded. This is a cross-site request, but it's not a top-level navigation (the user is still on site-a.com, i.e. the URL bar doesn't change when the iframe is loaded). Therefore neither Lax nor Strict cookies are sent to site-b.com.
  3. The user is on site-a.com which POSTs a form to site-b.com. This is a cross-site request, but the method (POST) is unsafe. It doesn't meet the criteria for Lax cookies going cross-site, so neither Lax nor Strict cookies are sent to site-b.com
like image 90
chlily Avatar answered Oct 11 '22 07:10

chlily
Sign in to Comment

Related questions

SameSite cookies, frames, sub domains and redirections
Previously set "Samesite: Strict" cookie not available in document.cookie Firefox and Safari
SameSite=None not working on Chrome incognito?
Adding 'SameSite=None;' cookies to Rails via Rack middleware?
PHP SameSite session problem, session doesn't work
this set-cookie was blocked because it has the samesite=lax
Same-site flags were removed in Chromium 91 - How can I disable them for local development?
A cookie associated with a cross-site resource was set without the `SameSite` attribute
How to set SameSite Cookie in Tomcat's Cookie Processor?
Samesite cookie attribute not being set using javascript
This Set-Cookie didn't specify a "SameSite" attribute and was default to "SameSite=Lax" - Localhost
issue with cross-site cookies: how to set cookie from backend to frontend
How to explicitly set samesite=None on a flask response
How can I resolve a cross-site Google Analytics cookie `SameSite=None` warning in Chrome on Apache 2.4 and PHP 7.1?
How to set same-site cookie flag in Spring Boot?
Setting Google Tag Manager cookies with SameSite and Secure attributes
Same-Site flag for session cookie in Spring Security
how SameSite attribute added to my Asp.net_SessionID cookie automatically?
Safari not sending cookie even after setting SameSite=None; Secure

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!