From 2aa50683651a9e3b09f71c518e5786a74b2f8077 Mon Sep 17 00:00:00 2001 From: simmayor Date: Thu, 10 Jan 2019 16:35:07 -0500 Subject: [PATCH] Added more detail for samesite attribute --- .../06-clickjacking/article.md | 34 +++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/4-frames-and-windows/06-clickjacking/article.md b/4-frames-and-windows/06-clickjacking/article.md index 1fae2ee1..d26a3b23 100644 --- a/4-frames-and-windows/06-clickjacking/article.md +++ b/4-frames-and-windows/06-clickjacking/article.md @@ -191,9 +191,39 @@ The demo: ## Samesite cookie attribute -The `samesite` cookie attribute can also prevent clickjacking attacks. The purpose of the attribute is to prevent cookies from being sent to a website when the user doesn't intend to visit the website. It mainly prevents cross-site request forgery attacks, but also helps with clickjacking. When a cookie has the `samesite` attribute, whether the value is `strict` or `lax`, cookies are not sent to a website when it is loaded inside an iframe. A clickjacking attempt would fail because the user is not considered logged into, for example, Facebook, so they can't "Like" anything through the iframe. +The `samesite` cookie attribute can also prevent clickjacking attacks. The purpose of the attribute is to prevent cookies from being sent to a website when the user doesn't intend to visit the website. It is designed to prevent cross-site request forgery attacks, but also helps with clickjacking because a hijacked click usually results in an unintended request to a different site. When a cookie has the `samesite` attribute, whether the value is `strict` or `lax`, cookies are not sent to a website when it is loaded inside an iframe. -The samesite attribute will not have an effect when cookies are not used. This may allow websites to easily show public, unauthenticated pages in iframes on unaffiliated websites. However, this may also allow clickjacking attacks to work in a few limited cases. An anonymous polling website that prevents duplicate voting by checking IP addresses, for example, would still be vulnerable to clickjacking because it does not authenticate users using cookies. +The `samesite` attribute can be set using HTTP response headers or JavaScript. Via HTTP, it looks like: + +`Set-Cookie: demoCookie=demoValue; samesite=lax` + +or + +`Set-Cookie: demoCookie=demoValue; samesite=strict` + +In JavaScript, it is: + +```html +document.cookie = "demoCookie=demoValue; SameSite=Lax"; +document.cookie = "demoCookie=demoValue; SameSite=Strict"; +``` + +When the value is `lax`, these types of requests are blocked: +- Form POST submit (<form method="POST" action="...">) +- iframe (<iframe src="..."></iframe>) +- AJAX ($.get("...")) +- Image (<img src="...">) +- Script (<script src="..."></script>) +- Stylesheet (<link rel="stylesheet" type="text/css" href="...">) + +When the value is `strict`, these types of requests are also blocked, in addition to those under `lax`: +- Clicking a link (<a href="..."></a>) +- Prerender (<link rel="prerender" href=".."/>) +- Form GET submit (<form method="GET" action="...">) + +In this case, we are concerned with iframe requests. A clickjacking attempt would fail because the user is not considered logged into, for example, Facebook, so they can't "Like" anything through the iframe. + +The `samesite` attribute will not have an effect when cookies are not used. This may allow websites to easily show public, unauthenticated pages in iframes on unaffiliated websites. However, this may also allow clickjacking attacks to work in a few limited cases. An anonymous polling website that prevents duplicate voting by checking IP addresses, for example, would still be vulnerable to clickjacking because it does not authenticate users using cookies. ## Summary