From 83a03ca122e3d81ef7caad63df8265de86e8c08c Mon Sep 17 00:00:00 2001 From: Chris Mills Date: Sun, 23 Jun 2024 14:22:32 +0100 Subject: [PATCH] Fixes to SameSite directive descriptions --- .../practical_implementation_guides/cookies/index.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/files/en-us/web/security/practical_implementation_guides/cookies/index.md b/files/en-us/web/security/practical_implementation_guides/cookies/index.md index 3b5e137dd9c2625..19ff9307de7f304 100644 --- a/files/en-us/web/security/practical_implementation_guides/cookies/index.md +++ b/files/en-us/web/security/practical_implementation_guides/cookies/index.md @@ -37,11 +37,13 @@ To minimize the scope for cookie vulnerabilities on your site, limit access to c - : Forbid sending cookies via cross-origin requests (for example from {{htmlelement("img")}} elements) using `SameSite`. You should use one of the following two values: - - `SameSite=Strict`: Only send the cookie on same-site navigations. Cookies are omitted on same-origin navigations (e.g. `a.example.com` to `b.example.com`). This is a very strict setting, but it does provide strong [CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) protection, so use this value if possible. - - `SameSite=Lax`: Send the cookie on same-site and same-origin navigations, and when navigating _to_ your site from another site. This is the default behavior used in modern browsers if no `SameSite` directive is set, and should be used if `Strict` is too restrictive. + - `SameSite=Strict`: Only send the cookie in same-site contexts (navigations and other requests). Cookies are omitted in same-origin contexts (e.g. navigating `a.example.com` to `b.example.com`), cross-site requests (e.g. hotlinking), and cross-site navigation (e.g. when following a link from a different web page). This is a very strict setting, but it does provide strong [CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) protection, so use this value if possible. + - `SameSite=Lax`: Send the cookie in same-site requests and when navigating _to_ your website. This should be used if `Strict` is too restrictive. Both of the above values are useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks in cases that rely on the user being authenticated. + > **Note:** In theory, `SameSite=Strict` should be more useful than it is in practice. It often breaks navigations — for example, users clicking a link to a website on which they are already logged in (i.e. a valid session cokie is set) appear not to be logged in, because the browser has deliberately omitted the session cookie. The best middle ground is to use `SameSite=Strict` only on tokens where CSRF is a concern or use `SameSite=Strict` everywhere, but reload the page and do a cookie check in JavaScript if there's an indication that the user is logged in but required cookies are not being sent. + ## Examples Set a session identifier cookie that is only accessible on the current host and expires when the user closes their browser: