This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming Technical chat Prevent CSRF attacks on the cookie's SameSite property
View: 7822|Reply: 1

Prevent CSRF attacks on the cookie's SameSite property

[Copy link]
Posted on 2022-4-17 20:24:47 | | | |
SameSite property

Starting with Chrome 51, a new SameSite attribute has been added to the browser's cookies to prevent CSRF attacks and user tracking (malicious third-party acquisition of cookies), and to limit third-party cookies, thereby reducing security risks.

SameSite defined in RFC6265bis:The hyperlink login is visible.

About CSRF Attack Recap:

ASP.NET CSRF attack Ajax request encapsulation
https://www.itsvse.com/thread-8077-1-1.html

mvc ajax with AntiForgeryToken to prevent CSRF attacks
https://www.itsvse.com/thread-4207-1-1.html

Analyze QQ Quick Login Protocol and Implement "CSRF"
https://www.itsvse.com/thread-3571-1-1.html
The SameSite property can be set to three values:Strict、Lax、None

Strict: Strictly prohibit third parties from obtaining cookies, and do not send cookies under any circumstances when cross-site; Cookies will only be included if the URL of the current page matches the request target. This rule is too strict and can cause a very bad user experience. For example, if there is a GitHub link on the current web page, users will not have GitHub cookies when they click on the jump, and the jump has always been unlogged in.

Lax: Prevent cross-site, in most cases it is forbidden to obtain cookies, except for GET requests (links, preloads, GET forms) that navigate to the destination URL; Once Strict or Lax is set, CSRF attacks are basically eliminated. Of course, this is provided that the user browser supports the SameSite property.

SameSite attributeDefault SameSite=Lax[This operation applies to versions after Google releases Chrome 80 stable version on February 4, 2019]



None: There is no limit.

The Secure attribute must also be set (cookies can only be sent over the HTTPS protocol), otherwise it will not be valid. [This operation applies to versions after Google releases Chrome 80 stable version on February 4, 2019]


Test the SameSite property

We dynamically load a picture of site A through the F12 console at site A, the code is as follows:

We can see from the network request that when site A requests an image of the domain name of site A, it willCarry cookies(SameSite has no settings, i.e., Lax), as shown in the image below:



We randomly find a B site, and then dynamically load the picture of A site and find itNot carryingAny cookie, as shown below:



(End)





Previous:jQuery hide doesn't work two solutions
Next:Angular element ngif hidden visibility is displayed and hidden

Related Posts
Posted on 2022-4-17 21:20:07 |
Learn to learn...
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com