107

Can anyone tell me what is the difference between SameSite="Lax" and SameSite="Strict" by a nice example as I am a bit confused between these two?

Sajad Torkamani
  • 544
  • 1
  • 7
  • 18
Simant
  • 3,142
  • 4
  • 32
  • 61

3 Answers3

169

Lax allows the cookie to be sent on some cross-site requests, whereas Strict never allows the cookie to be sent on a cross-site request.

The situations in which Lax cookies can be sent cross-site must satisfy both of the following:

  1. The request must be a top-level navigation. You can think of this as equivalent to when the URL shown in the URL bar changes, e.g. a user clicking on a link to go to another site.
  2. The request method must be safe (e.g. GET or HEAD, but not POST).

For example:

  1. Let's say a user is on site-a.com and clicks on a link to go to site-b.com. This is a cross-site request. This is a top-level navigation and is a GET request, so Lax cookies are sent to site-b.com. However, Strict cookies are not sent because it is, after all, a cross-site request.
  2. The user is on site-a.com and there is an iframe in which site-b.com is loaded. This is a cross-site request, but it's not a top-level navigation (the user is still on site-a.com, i.e. the URL bar doesn't change when the iframe is loaded). Therefore neither Lax nor Strict cookies are sent to site-b.com.
  3. The user is on site-a.com which POSTs a form to site-b.com. This is a cross-site request, but the method (POST) is unsafe. It doesn't meet the criteria for Lax cookies going cross-site, so neither Lax nor Strict cookies are sent to site-b.com
chlily
  • 2,637
  • 1
  • 8
  • 9
  • 8
    Is there any security (or other) reason that someone would want to use SameSite="Strict"? – joshhunt Aug 05 '20 at 12:17
  • 3
    @joshhunt GET based CSRF is much less common than it once was, but it does still happen. So if a site has no need for Lax cookies to work (they have no reason for external links to pages to work, if those pages can only be seen by users with cookies set), then they may choose to reduce their possible attack surface by making cookies SameSite=Strict. – James_pic Nov 10 '20 at 13:05
  • 1
    Thanks for the explaination about the "top-level navigation". – Charlie Dec 24 '20 at 03:11
  • What about the following? The user is on site-a.com and there is an iframe with site-b.com. site-b.com makes GET request back to site-a.com (inside iframe). Will Lax cookies for cross-site GET to site-a.com (iframed site-a inside site-a) be send with the request? From my observation in Chrome 90 beta this cookie is blocked, while it is not blocked in Chrome 88. – CoperNick Mar 17 '21 at 10:50
  • Where did you get your information about it only working for "safe" requests? From my testing, cookies ARE sent on a POST request with SameSite=Lax if the post results in the user navigating to the target URL. If SameSite=Strict, then the cookies are not sent. I tested this in Chrome 89. – Jacob Adams Mar 25 '21 at 21:50
  • After further research, it looks like sending cookies with "SameSite=Lax" on POST requests is a temporary allowance in Chrome to give developers more time to adapt. https://groups.google.com/a/chromium.org/g/blink-dev/c/AknSSyQTGYs/m/wRWG65IWBQAJ – Jacob Adams Mar 25 '21 at 21:58
  • when click a link navigator to a cross-site url, and the response will set a strict cookie via set-cookie response header, it is expected that the cookie will not set successfully, but in my test , it will set same-site:strict cookie successfully; why? – SKing7 Mar 26 '21 at 12:02
  • Any type of cookie can be *set* by a top-level navigation (response). The different SameSite rules kick in on *getting* cookies (request). – chlily Mar 29 '21 at 17:11
  • The example no.2 , if render site-a.com in iframe, it has the cookies session, and then redirect to site-b.com, when site-b.com redirect back to site-a.com (within iframe), site-a.com does not have the cookie back, but after reload (inside iframe) then it has the cookie, why is that? any solution without having to reload? – Ardeus Sep 18 '21 at 14:14
39

A picture is worth a thousand words. Here is my lucid diagram that summarizes everything you need to know about the SameSite attribute:

enter image description here

Note that "cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS)" Source: MDN

Source: from @chlily's answer above and the blog from Google about SameSite cookies

Bonus: difference between same-site and same-origin from Google's blog

Son Nguyen
  • 2,991
  • 2
  • 19
  • 21
17

Strict not allows the cookie to be sent on a cross-site request or iframe. Lax allows GET only. None allows all the requests, but secure is required.

Albert Vila Calvo
  • 15,298
  • 6
  • 62
  • 73
Anil Samelia
  • 179
  • 4