The samesite property of cookie is used to restrict the third-party cookie, so as to reduce the security risk。
It can set three values:
Strict is the most strict,No third-party cookies are allowed. Cookies will not be sent under any circumstances when cross sites. In other words,Only if the URL of the current web page is consistent with the request target, the cookie will be brought.
Set-Cookie: CookieName=CookieValue; SameSite=Strict;
This rule is too strict and may cause a very bad user experience. For example, if there is a GitHub link on the current web page, users will not have a GitHub cookie when they click jump, and the jump is always not logged in.
Lax rules are slightly relaxed,In most cases, third-party cookies are not sent, except for get requests to navigate to the target web address.
Set-Cookie: CookieName=CookieValue; SameSite=Lax;
The get request for navigating to the target web address only includes three cases:Link, preload request, get form. See the table below for details.
After setting strict or lax, CSRF attacks are basically eliminated. Of course, the premise is that the user browser supports the samesite property.
Chrome plans to make lax the default.At this point,Websites can choose to explicitly turn off the samesite property and set it to none. however,The premise is that the secure property must be set at the same time (cookies can only be sent through the HTTPS protocol), otherwise it is invalid.
The following settings are invalid:
Set-Cookie: widget_session=abc123; SameSite=None
The following settings are valid:
Set-Cookie: widget_ Session = abc123; samesite = none; secure // you need to set the secure property at the same time: cookies can only be sent through the HTTPS protocol
New cookie settings in Chrome
Chrome 80 introduces two independent settings for users:
- Samesite by default cookies: after setting, all cookies with unspecified samesite property will automatically force samesite = lax
- Cookie without samesite must be secure:After setting,Cookie Set cookie without samesite property or with samesite property: samesite = none needs to be secure. In this context,Security means that all browser requests must follow the HTTPS protocol. Cookies that do not meet this requirement will be rejected. All websites should use HTTPS to meet this requirement.