Difference between revisions of "SameSite"

Revision as of 10:38, 8 May 2021

SameSite is an attribute in HTTP that is applied to the Cookie header.

Cross-site scripting (XSS) attacks have allows an attacker to see and reuse cookies supplied for Authentication of a user by another site.
New HTTP headers are focus on Cross-Origin iFrames which complicates the terms sites and origins which is future explained on that wiki page.

The use of Cookies on various devices and User Agents has be restricted in ever more severe ways. These restrictions have limited the functionality of the Authentication Cookie.
In particular Apple introduced a restriction on SameSite cookies that caused common implementations of OAuth 2.0 and OpenID Connect to fail. Brock Allen has decoded that issue on his site^[1] The basic problem with OAuth front channel Authentication is determining which site is the SameSite. So, while the authentication works, the redirect to the client code is not considered, by iOS 12, to be a same-site operation. Even in the case a refresh of the client site will work and be fully authenticated, because it is not a redirect, but a SameSite operation.

The wiki page Cross-Origin iFrame contains more details.
SameSite cookies from Mozilla.
Cookies: HTTP State Management Mechanism Google & Apple - caution this draft will likely be changed by the time you are reading this.

@@ Line 3: / Line 3: @@
 ==Context==
-Cross-site scripting (XSS) attacks have allows an attacker to see and reuse cookies supplied for [[Authentication]] of a user by another site.
+* Cross-site scripting (XSS) attacks have allows an attacker to see and reuse cookies supplied for [[Authentication]] of a user by another site.
+* New HTTP headers are focus on [[Cross-Origin iFrame]]s which complicates the terms sites and origins which is future explained on that wiki page.
 ==Problems==