Fixes to SameSite directive descriptions

mdn · Jun 23, 2024 · 83a03ca · 83a03ca
1 parent abc565f
commit 83a03ca
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/files/en-us/web/security/practical_implementation_guides/cookies/index.md b/files/en-us/web/security/practical_implementation_guides/cookies/index.md
@@ -37,11 +37,13 @@ To minimize the scope for cookie vulnerabilities on your site, limit access to c
 
   - : Forbid sending cookies via cross-origin requests (for example from {{htmlelement("img")}} elements) using `SameSite`. You should use one of the following two values:
 
-    - `SameSite=Strict`: Only send the cookie on same-site navigations. Cookies are omitted on same-origin navigations (e.g. `a.example.com` to `b.example.com`). This is a very strict setting, but it does provide strong [CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) protection, so use this value if possible.
-    - `SameSite=Lax`: Send the cookie on same-site and same-origin navigations, and when navigating _to_ your site from another site. This is the default behavior used in modern browsers if no `SameSite` directive is set, and should be used if `Strict` is too restrictive.
+    - `SameSite=Strict`: Only send the cookie in same-site contexts (navigations and other requests). Cookies are omitted in same-origin contexts (e.g. navigating `a.example.com` to `b.example.com`), cross-site requests (e.g. hotlinking), and cross-site navigation (e.g. when following a link from a different web page). This is a very strict setting, but it does provide strong [CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) protection, so use this value if possible.
+    - `SameSite=Lax`: Send the cookie in same-site requests and when navigating _to_ your website. This should be used if `Strict` is too restrictive.
 
     Both of the above values are useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks in cases that rely on the user being authenticated.
 
+    > **Note:** In theory, `SameSite=Strict` should be more useful than it is in practice. It often breaks navigations — for example, users clicking a link to a website on which they are already logged in (i.e. a valid session cokie is set) appear not to be logged in, because the browser has deliberately omitted the session cookie. The best middle ground is to use `SameSite=Strict` only on tokens where CSRF is a concern or use `SameSite=Strict` everywhere, but reload the page and do a cookie check in JavaScript if there's an indication that the user is logged in but required cookies are not being sent.
+
 ## Examples
 
 Set a session identifier cookie that is only accessible on the current host and expires when the user closes their browser: