jeena/en.javascript.info
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions

Added more detail for samesite attribute

Browse source
This commit is contained in:
simmayor 2019-01-10 16:35:07 -05:00 committed by GitHub
parent e8661bf4de
commit 2aa5068365
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

34
4-frames-and-windows/06-clickjacking/article.md
View file

@ -191,9 +191,39 @@ The demo:
## Samesite cookie attribute ## Samesite cookie attribute
The `samesite` cookie attribute can also prevent clickjacking attacks. The purpose of the attribute is to prevent cookies from being sent to a website when the user doesn't intend to visit the website. It mainly prevents cross-site request forgery attacks, but also helps with clickjacking. When a cookie has the `samesite` attribute, whether the value is `strict` or `lax`, cookies are not sent to a website when it is loaded inside an iframe. A clickjacking attempt would fail because the user is not considered logged into, for example, Facebook, so they can't "Like" anything through the iframe. The `samesite` cookie attribute can also prevent clickjacking attacks. The purpose of the attribute is to prevent cookies from being sent to a website when the user doesn't intend to visit the website. It is designed to prevent cross-site request forgery attacks, but also helps with clickjacking because a hijacked click usually results in an unintended request to a different site. When a cookie has the `samesite` attribute, whether the value is `strict` or `lax`, cookies are not sent to a website when it is loaded inside an iframe.
The samesite attribute will not have an effect when cookies are not used. This may allow websites to easily show public, unauthenticated pages in iframes on unaffiliated websites. However, this may also allow clickjacking attacks to work in a few limited cases. An anonymous polling website that prevents duplicate voting by checking IP addresses, for example, would still be vulnerable to clickjacking because it does not authenticate users using cookies. The `samesite` attribute can be set using HTTP response headers or JavaScript. Via HTTP, it looks like:
`Set-Cookie: demoCookie=demoValue; samesite=lax`
or
`Set-Cookie: demoCookie=demoValue; samesite=strict`
In JavaScript, it is:
```html
document.cookie = "demoCookie=demoValue; SameSite=Lax";
document.cookie = "demoCookie=demoValue; SameSite=Strict";
```
When the value is `lax`, these types of requests are blocked:
- Form POST submit (<form method="POST" action="...">)
- iframe (<iframe src="..."></iframe>)
- AJAX ($.get("..."))
- Image (<img src="...">)
- Script (<script src="..."></script>)
- Stylesheet (<link rel="stylesheet" type="text/css" href="...">)
When the value is `strict`, these types of requests are also blocked, in addition to those under `lax`:
- Clicking a link (<a href="..."></a>)
- Prerender (<link rel="prerender" href=".."/>)
- Form GET submit (<form method="GET" action="...">)
In this case, we are concerned with iframe requests. A clickjacking attempt would fail because the user is not considered logged into, for example, Facebook, so they can't "Like" anything through the iframe.
The `samesite` attribute will not have an effect when cookies are not used. This may allow websites to easily show public, unauthenticated pages in iframes on unaffiliated websites. However, this may also allow clickjacking attacks to work in a few limited cases. An anonymous polling website that prevents duplicate voting by checking IP addresses, for example, would still be vulnerable to clickjacking because it does not authenticate users using cookies.
## Summary ## Summary