Revision as of 20:57, 12 March 2021 view source Jdbtwo (talk \| contribs) Extended confirmed users 704 edits m →{{anchor\|cookie wall}}Cookie wall: Minor grammar fixes... Tag: 2017 wikitext editor ← Previous edit		Revision as of 00:46, 21 March 2021 view source Pleasancoder (talk \| contribs) 76 edits m →{{anchor\|SameSite cookie}}Same-site cookie Next edit →
Line 49: ==={{anchor\|SameSite cookie}}Same-site cookie=== In 2016 [[Google Chrome]] version 51 introduced<ref>{{Cite web\|url=https://www.chromestatus.com/feature/4672634709082112\|title='SameSite' cookie attribute, Chrome Platform tatus\|website=Chromestatus.com\|access-date=2016-04-23\|archive-url=https://web.archive.org/web/20160509064447/https://www.chromestatus.com/feature/4672634709082112\|archive-date=2016-05-09\|url-status=live}}</ref> a new kind of cookie with attribute <code>SameSite</code>. Attribute <code>SameSite</code> can have a value of <code>Strict</code>, <code>Lax</code> or <code>None</code>.<ref>{{Cite web\|url=https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00\|title=Same-Site Cookies draft-ietf-httpbis-cookie-same-site-00\|last1=Goodwin\|last2=West\|first1=M.\|website=tools.ietf.org\|access-date=2016-07-28\|archive-url=https://web.archive.org/web/20160816182604/https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00\|archive-date=2016-08-16\|url-status=live}}</ref> <br/>      With attribute <code>SameSite=Strict</code>, the browsers ~~should~~would only send ~~these~~ cookies ~~with~~to ~~requests~~target ~~originated~~___domain ~~from~~that is the same ~~___domain/site~~ as ~~the target~~origin ___domain. This would effectively mitigate [[cross-site request forgery]] (CSRF) attacks.<ref>https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/</ref>. <br/>      With <code>SameSite=Lax</code>, browsers would ~~not~~send ~~restrict~~cookies ~~originating~~with ~~site,~~requests ~~but~~to ~~enforce~~a target ___domain toeven beit ~~the~~is ~~same~~different asfrom ~~cookie~~origin ___domain, ~~effectively~~but ~~blocking~~only ~~third-party (cross-site) cookies. Attribute~~for <~~code~~i>~~SameSite=None~~safe</~~code~~i> ~~would~~requests ~~allow~~such ~~third-party~~as GET (~~cross-site)~~POST ~~cookies.~~is ~~The~~unsafe) ~~Same-site~~and ~~cookie~~not ~~is incorporated into [https://tools.ietf.org/html/draft~~third-~~ietf-httpbis-rfc6265bis-05~~party ~~a new RFC draft for "Cookies: HTTP State Management Mechanism"] to update RFC6265~~cookies (ifinside ~~approved~~iframe). <br/>      Attribute <code>SameSite=None</code> would allow third-party (cross-site) cookies, however, most browsers require [https://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie Secure attribute] on SameSite=None cookies<ref>https://github.com/httpwg/http-extensions/pull/1323</ref>. The Same-site cookie is incorporated into [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07 a new RFC draft for "Cookies: HTTP State Management Mechanism"] to update RFC6265 (if approved). Chrome, Firefox, Microsoft Edge all started to support Same-site cookies.<ref>https://www.lambdatest.com/SameSite-cookie-attribute</ref> The key of rollout is the treatment of existing cookies without SameSite attribute defined, Chrome has been treating those existing cookies as if SameSite=None, this would keep all website/applications run as before. Google intended to change that default to SameSite=Lax in February 2020,<ref>https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html</ref> the change would break those applications/websites if they rely on third-party/cross-site cookies, but without SameSite attribute defined. Given the extensive changes for web developers and [[COVID-19]] circumstances, Google temporarily rolled back the SameSite cookie change.<ref>https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html</ref>

HTTP cookie: Difference between revisions