jeena/en.javascript.info
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions

Merge pull request #718 from simmayor/samesite

Browse source 
Added section for cookie samesite attribute
This commit is contained in:
Ilya Kantor 2019-01-13 20:40:38 +03:00 committed by GitHub
commit d6797e198c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
4-frames-and-windows/06-clickjacking/article.md
View file

@ -189,6 +189,42 @@ The demo:
[codetabs src="protector"]
## Samesite cookie attribute
The `samesite` cookie attribute can also prevent clickjacking attacks. The purpose of the attribute is to prevent cookies from being sent to a website when the user doesn't intend to visit the website. It is designed to prevent cross-site request forgery attacks, but also helps with clickjacking because a hijacked click usually results in an unintended request to a different site. When a cookie has the `samesite` attribute, whether the value is `strict` or `lax`, cookies are not sent to a website when it is loaded inside an iframe.
The `samesite` attribute can be set using HTTP response headers or JavaScript. Via HTTP, it looks like:
`Set-Cookie: demoCookie=demoValue; samesite=lax`
or
`Set-Cookie: demoCookie=demoValue; samesite=strict`
In JavaScript, it is:
```html
document.cookie = "demoCookie=demoValue; SameSite=Lax";
document.cookie = "demoCookie=demoValue; SameSite=Strict";
```
When the value is `lax`, these types of requests are blocked:
- Form POST submit (<form method="POST" action="...">)
- iframe (<iframe src="..."></iframe>)
- AJAX ($.get("..."))
- Image (<img src="...">)
- Script (<script src="..."></script>)
- Stylesheet (<link rel="stylesheet" type="text/css" href="...">)
When the value is `strict`, these types of requests are also blocked, in addition to those under `lax`:
- Clicking a link (<a href="..."></a>)
- Prerender (<link rel="prerender" href=".."/>)
- Form GET submit (<form method="GET" action="...">)
In this case, we are concerned with iframe requests. A clickjacking attempt would fail because the user is not considered logged into, for example, Facebook, so they can't "Like" anything through the iframe.
The `samesite` attribute will not have an effect when cookies are not used. This may allow websites to easily show public, unauthenticated pages in iframes on unaffiliated websites. However, this may also allow clickjacking attacks to work in a few limited cases. An anonymous polling website that prevents duplicate voting by checking IP addresses, for example, would still be vulnerable to clickjacking because it does not authenticate users using cookies.
## Summary
Clickjacking is a way to "trick" users into clicking on a malicious site without even knowing what's happening. That's dangerous if there are important click-activated actions.