Why is cookie without SameSite attribute sent on cross-domain form post?

Question

I have a page on https://dskl.net/xsrf/setcookies.php which sets a cookie with the following header:

set-cookie: secure-cookie=secure; expires=Mon, 24-Jul-2023 11:27:06 GMT; Max-Age=31536000; path=/; domain=dskl.net; secure; HttpOnly

If I go to this page, the value of the cookie is displayed: https://dskl.net/xsrf/getcookies.php.

But if I make a post request to that page from a form on a different domain, the cookie is also included in the request: https://manabase.com/xsrf/

Shouldn't a cookie without SameSite attribute be treated as SameSite=Lax and not have the cookie included in a cross-domain form post?

Strangely, if I make the form post a bit later, the cookie is not included. But if I delete the cookie and try again, it works again. What might be going on here?

score 1 · Accepted Answer · answered Jul 24 '22 at 13:14

1

That sounds like the "Lax + POST" intervention, see here. This is meant to support RelayState cookies during SAML logon flow even in the absence of the SameSite attribute, see What is exactly RelayState parameter used in SSO (Ex. SAML)?.

answered Jul 24 '22 at 13:14

Heiko Theißen

12,807
2
7
31

Why is cookie without SameSite attribute sent on cross-domain form post?

1 Answers1

Linked