I would like to secure my cookies using SameSite=strict. But is there a way to allow it to be accessed by few domains alone?
Asked
Active
Viewed 494 times
12
-
Starting a bounty - is it possible to restrict SameSite to a specific list of domains? If not, is this because the standard or browsers do not support it yet or because it doesn't make sense? – user58446 Dec 09 '22 at 00:44
-
I want this, but I don't think it can be done ☹️ – olfek Mar 11 '23 at 17:44
2 Answers
1
Take a look at the upcoming First Party Sets proposal from Google. This allows certain domains to be treated as if requests between them were same-site.
Note, however, that this is still in an early stage, is for now Google-specific and requires you to register the domains in a public repository.
Heiko Theißen
- 12,807
- 2
- 7
- 31
0
Whitelisting strict referral domains would be a fantastic enhancement to cookie mgmt, but AFAIK this doesn't exist.
I am evaluating my own solution to set cookies to LAX and then implementing my own whitelist that permits specific referrers, if the referring/redirecting website is not on the whitelist to then delete all cookies and force user to the login page. This would momentarily list/present existing cookies, which could be captured, but would be useless because the page(s) that were redirected to would immediately delete the cookies because the referrer wasn't whitelisted.
rolinger
- 2,787
- 1
- 31
- 53