SameSite=Strict cookies for a user entered URL
111 views
Skip to first unread message
Craig Francis
Jun 13, 2016, 12:35:46 PM6/13/16
to security-dev, WebAppSec WG
Hi,
I was wondering about the security vs usability in how SameSite=Strict cookies work.
At the moment (in Chrome 51 - 53 at least), if you're on a website, and copy/paste a URL for the current website in to the current tabs address bar, the SameSite=Strict cookies are sent in that request.
But if you open a new tab, paste the URL, the requested page does not include the SameSite=Strict cookies.
---
From a security point of view, it's possible that the user has been given a malicious URL to navigate to, so maybe the correct behaviour is to block all SameSite=Strict cookies where the Referrer isn't the current website.
But, if the user is on a particular page, and they want to keep that page open; they might right hand click on the link they want to view, copy the link address (not using the "open link in new tab" feature), open a new tab, and paste the URL... so when that page loads, they need to login again.
Or, if they have a bookmark in their browser, or a link in an email (normal email client, not a webmail client); then every time they follow those links, should they need to login again?
---
Personally I have a bit more of a complicated problem, where I have a cookie that defends against CSRF, but that's a little tricker to explain. So I'm wondering if the slightly less secure approach might be better, as at the moment I'm getting a few complaints, where I think I'll have to drop back to SameSite=Lax (as Strict might be a little too Strict).
Craig
And while it's protected, I have raised a Chrome bug for this:
https://crbug.com/619603
And the spec is at:
https://tools.ietf.org/html/draft-west-first-party-cookies-07
I was wondering about the security vs usability in how SameSite=Strict cookies work.
At the moment (in Chrome 51 - 53 at least), if you're on a website, and copy/paste a URL for the current website in to the current tabs address bar, the SameSite=Strict cookies are sent in that request.
But if you open a new tab, paste the URL, the requested page does not include the SameSite=Strict cookies.
---
From a security point of view, it's possible that the user has been given a malicious URL to navigate to, so maybe the correct behaviour is to block all SameSite=Strict cookies where the Referrer isn't the current website.
But, if the user is on a particular page, and they want to keep that page open; they might right hand click on the link they want to view, copy the link address (not using the "open link in new tab" feature), open a new tab, and paste the URL... so when that page loads, they need to login again.
Or, if they have a bookmark in their browser, or a link in an email (normal email client, not a webmail client); then every time they follow those links, should they need to login again?
---
Personally I have a bit more of a complicated problem, where I have a cookie that defends against CSRF, but that's a little tricker to explain. So I'm wondering if the slightly less secure approach might be better, as at the moment I'm getting a few complaints, where I think I'll have to drop back to SameSite=Lax (as Strict might be a little too Strict).
Craig
And while it's protected, I have raised a Chrome bug for this:
https://crbug.com/619603
And the spec is at:
https://tools.ietf.org/html/draft-west-first-party-cookies-07
Mike West
Jun 20, 2016, 10:34:41 AM6/20/16
to Craig Francis, HTTP Working Group
-security-dev, public-webappsec to BCC.
+ietf-h...@w3.org, which is the group you'll probably want to poke at about cookies.
On Mon, Jun 13, 2016 at 6:35 PM, Craig Francis <craig....@gmail.com> wrote:
Hi,
I was wondering about the security vs usability in how SameSite=Strict cookies work.
At the moment (in Chrome 51 - 53 at least), if you're on a website, and copy/paste a URL for the current website in to the current tabs address bar, the SameSite=Strict cookies are sent in that request.
But if you open a new tab, paste the URL, the requested page does not include the SameSite=Strict cookies.
This is a bug in Chrome's implementation that I'm poking at. Step 1 of https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-2.1 handles this case, though it's a bit opaque since it requires you to know that a new, user-navigated tab doesn't have a 'client'. I've filed https://github.com/httpwg/http-extensions/issues/201 to add a note to the spec to clarify things.
Thanks for the report, and sorry for the delayed response.
-mike
Neko creeepypasta
Jun 24, 2016, 6:02:28 PM6/24/16
to securi...@chromium.org
hacked device help
Reply all
Reply to author
Forward
0 new messages