SameSite Cookies 🍪

Topics

  • What are SameSite Cookies
     
  • What is changing on Feb 4, 2020
     
  • What is the impact

Usage|What are SameSite Cookies

  • Cookies used to identify users (sessions, tracking)
  • Cookies help to store preferences
  • Used for segmentation of traffic, feature testing, a/b testing, personalization
  • ...etc...

Brief overview|What are SameSite Cookies

  • Cookies are passed between client and server via headers
  • Cookies can be read by browsers via javascript, as long as they were not set with `HttpOnly` flag
  • Cookies which are set with `Secure` flag are only passed via https connection

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Third party|What are SameSite Cookies

https://web.dev/samesite-cookies-explained/

Cookies may come from a variety of different domains on one page.

Third party|What are SameSite Cookies

https://web.dev/samesite-cookies-explained/

A cookie in a third-party context is sent when visiting different pages.

First vs third party|What are SameSite Cookies

https://web.dev/samesite-cookies-explained/

  • site.com   vs   site.net
  • site.com   vs   www.site.com
  • site.io   vs   sub.site.io
  • alpha.site.io   vs   beta.site.io
  • user1.github.io   vs   user2.github.io

Public suffix list|What are SameSite Cookies

https://publicsuffix.org/

  • site.com   =/=   site.net
  • site.com   ==   www.site.com
  • site.io   ==   sub.site.io
  • alpha.site.io   ==   beta.site.io
  • user1.github.io   =/=   user2.github.io
  • user1.github.io   ??   www.user1.github.io

SameSite|What are SameSite Cookies

https://web.dev/samesite-cookies-explained/

Set-Cookie: my-cookie=1; SameSite=Lax

SameSite|What are SameSite Cookies

https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies

  • A cookie with "SameSite=Strict" will only be sent with a same-site request.
  • A cookie with "SameSite=None" will be sent with both same-site and cross-site requests.
  • A cookie with "SameSite=Lax" will be sent with a same-site request, or a cross-site top-level navigation with a "safe" HTTP method.

Caniuse|What are SameSite Cookies

https://caniuse.com/#search=samesite

Browser support check|What are SameSite Cookies

https://samesite-sandbox.glitch.me/

What is changing on Feb 4

https://www.chromestatus.com/features/schedule

  • Cookies with no SameSite are currently treated as SameSite=None
  • After Chrome v80 release on Feb 4, 2020 cookies with no SameSite will be treated as SameSite=Lax
  • Cookies with SameSite=None should also have `Secure` flag

Demo|What is changing on Feb 4

https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/

 

 

`SameSite=None; Secure` | Impact

Made with Slides.com