Revision as of 01:03, 28 December 2024 view source Mindmatrix (talk \| contribs) Autopatrolled, Administrators 188,534 edits revert - rm promotional link Tag: Manual revert ← Previous edit		Revision as of 02:34, 8 January 2025 view source Brandon (talk \| contribs) Edit filter managers, Administrators 23,427 edits Remove content marketing. Tag: 2017 wikitext editor Next edit →
Line 49: ==={{anchor\|SameSite cookie}}Same-site cookie=== In 2016 [[Google Chrome]] version 51 introduced<ref name="T8177">{{Cite web\|url=https://www.chromestatus.com/feature/4672634709082112\|title='SameSite' cookie attribute, Chrome Platform tatus\|website=Chromestatus.com\|access-date=2016-04-23\|archive-url=https://web.archive.org/web/20160509064447/https://www.chromestatus.com/feature/4672634709082112\|archive-date=2016-05-09\|url-status=live}}</ref> a new kind of cookie with attribute <code>SameSite</code> with possible values of <code>Strict</code>, <code>Lax</code> or <code>None</code>.<ref name="oCqyo">{{Cite journal\|url=https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00\|title=Same-Site Cookies draft-ietf-httpbis-cookie-same-site-00\|last1=Goodwin\|last2=West\|first1=M.\|newspaper=Ietf Datatracker\|date=20 June 2016\|access-date=2016-07-28\|archive-url=https://web.archive.org/web/20160816182604/https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00\|archive-date=2016-08-16\|url-status=live}}</ref> With attribute <code>SameSite=Strict</code>, the browsers would only send cookies to a target ___domain that is the same as the origin ___domain. This would effectively mitigate [[cross-site request forgery]] (CSRF) attacks.<ref name="wi75q">{{Cite web\|title=Using the Same-Site Cookie Attribute to Prevent CSRF Attacks\|url=https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/\|access-date=2021-04-05\|website=www.netsparker.com\|date=23 August 2016 \|language=en}}</ref> With <code>SameSite=Lax</code>, browsers would send cookies with requests to a target ___domain even it is different from the origin ___domain, but only for ''safe'' requests such as GET (POST is unsafe) and not third-party cookies (inside iframe). Attribute <code>SameSite=None</code> would allow third-party (cross-site) cookies, however, most browsers require [[#Secure cookie\|secure attribute]] on SameSite=None cookies.<ref name="vQf6D">{{Cite web\|title=Require "Secure" for "SameSite=None". by miketaylr · Pull Request #1323 · httpwg/http-extensions\|url=https://github.com/httpwg/http-extensions/pull/1323\|access-date=2021-04-05\|website=GitHub\|language=en}}</ref> The Same-site cookie is incorporated into a new RFC draft for "Cookies: HTTP State Management Mechanism"<ref>{{Cite report \|url=https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/07/ \|title=Cookies: HTTP State Management Mechanism \|last1=West \|first1=Mike \|last2=Wilander \|first2=John \|date=2020-12-07 \|publisher=Internet Engineering Task Force \|issue=draft-ietf-httpbis-rfc6265bis-07}}</ref> to update RFC 6265 (if approved).

HTTP cookie: Difference between revisions