1

Some resources say that unlike SameSite=Strict, SameSite=Lax works when we load the other site using direct and top-level links... but as I tested, when I open a site from <a href="mysite.com">, browser treats it as typing mysite.com directly in address bar so it receives all cookies, even SameSite=Strict ones.

Same thing goes with <form action="mysite.com", method="get"> or <form ... method="post>", and the <form> request makes all cookies loaded completely.

So what's the difference between SameSite=Strict and SameSite=Lax?

Reza Nooralizadeh
  • 95
  • 1
  • 7
  • Does this answer your question? [What is difference between SameSite="Lax" and SameSite="Strict"?](https://stackoverflow.com/questions/59990864/what-is-difference-between-samesite-lax-and-samesite-strict) – badams May 14 '20 at 16:59
  • @badams No, one of resources that I talked about is that answer:) – Reza Nooralizadeh May 14 '20 at 19:43

2 Answers2

1

Strict and Lax are about when your browser sends cookies. You tested when your browser receives cookies.

The browser uses the SameSite setting to decide when to send the cookie back to its origin.

Quoting from SameSite cookies explained:

If you set SameSite to Strict, your cookie will only be sent in a first-party context. In user terms, the cookie will only be sent if the site for the cookie matches the site currently shown in the browser's URL bar. So, if the promo_shown cookie is set as follows:

Set-Cookie: promo_shown=1; SameSite=Strict

When the user is on your site, then the cookie will be sent with the request as expected. However when following a link into your site, say from another site or via an email from a friend, on that initial request the cookie will not be sent.

In contrast, SameSite=Lax allows the browser to send the cookie for the top-level navigations, such as described above: following a link on another site or clicking a link in an email.

Here is a summary on MDN, including the third value, SameSite=None:

The SameSite attribute accepts three values:

Lax

Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.

Strict

Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

None

Cookies will be sent in all contexts, i.e sending cross-origin is allowed.

None used to be the default value, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

None requires the Secure attribute in latest browser versions.

If the HTML forms in your example are on another site, not mysite.com, cookies won't be sent back to mysite.com if they have SameSite=Strict. If SameSite=Lax, and the form has method="get", the browser will send the cookies, but with method="post", it will not.

badams
  • 98
  • 1
  • 9
1

Actually, when SameSite is set to Strict, cookies are sent when following a link in an Email, but only when the Email client is a standalone application, not browser-based. If you read your Email in a web app like gmail and click on a link, then it is a cross-domain request and is blocked by the browser.

When SameSite is Strict, cookies are sent when:

  • Following links from the same site
  • Entering the address directly into the address bar
  • Following a link from a non-browser application (Email client, Word document, ...)

When SameSite is set to Lax, it is sent in each of the above scenarios, plus

  • When you follow a top-level link from a different domain and it has a 'safe' method (GET, HEAD, OPTIONS). This is a link that changes the URL in the address bar, so a request in an IMG tag, IFRAME, etc, will not cause the cookie to be sent.
mbakereth
  • 186
  • 6