Content deleted Content added
Pleasancoder (talk | contribs) |
Pleasancoder (talk | contribs) |
||
Line 47:
==={{anchor|SameSite cookie}}Same-site cookie===
In 2016 [[Google Chrome]] version 51 introduced<ref>{{Cite web|url=https://www.chromestatus.com/feature/4672634709082112|title='SameSite' cookie attribute, Chrome Platform tatus|website=Chromestatus.com|access-date=2016-04-23|archive-url=https://web.archive.org/web/20160509064447/https://www.chromestatus.com/feature/4672634709082112|archive-date=2016-05-09|url-status=live}}</ref> a new kind of cookie with attribue <code>SameSite</code>. Attribute <code>SameSite</code> can have a value of <code>Strict</code>, <code>Lax</code> or <code>None</code> <ref>{{Cite web|url=https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00|title=Same-Site Cookies draft-ietf-httpbis-cookie-same-site-00|last=Goodwin|last2=West|first=M.|website=tools.ietf.org|access-date=2016-07-28|archive-url=https://web.archive.org/web/20160816182604/https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00|archive-date=2016-08-16|url-status=live}}</ref>. With attribute <code>SameSite=Strict</code>, the browsers should only send these cookies with requests originated from the same ___domain/site as the target ___domain. This would effectively mitigate [[cross-site request forgery]] (XSRF) attacks <ref>https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/</ref>. <code>SameSite=Lax</code> would not restrict originating site, but enforce target ___domain to be the same as cookie ___domain, effectively blocking third-party (cross-site) cookies. Attribute <code>SameSite=None</code> would allow third-party (cross-site) cookies. The Same-site cookie is incorporated into [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05 a new RFC draft
Chrome, Firefox, Microsoft Edge all started to support Same-site cookies<ref>https://www.lambdatest.com/SameSite-cookie-attribute</ref>. The key of rollout is the treatment of existing cookies without SameSite attribute defined, Chrome has been treating those existing cookies as if SameSite=None, this would keep all website/applications run as before. Google intended to change that default to SameSite=Lax in February 2020<ref>https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html</ref>, the change would break those applications/websites if they reply on third-party/cross-site cookies, but without SameSite attribute defined. Given the extensive changes for web developers and COVID-19 circumstances, Google temporarily rolled back the SameSite cookie change <ref>https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html</ref>.
| |||