Same Site Changes in Chrome

Same Site Meaning:

The Same Site Cookie attribute can be used to disable third-party usage for a specific cookie.When someone is requesting data from third party site, any cookie you had on the present site will also be passed in the request header. So if you don’t want to pass these cookies, then you can set SameSite=Strict and it is set by the server when setting the cookie, and requests the browser to only send the cookie in a first-party context.This effectively makes CSRF impossible, because an attacker can not use a user’s session from his site anymore.

Set-Cookie: key=value; Secure; SameSite=Strict

Chrome changes:

Google plans to add support for an IETF standard called SameSite, which requires web developers to manage cookies with the SameSite attribute component in the Set-Cookie header.

  1. SameSite by default cookies enforces the Lax value for all cookies that don’t specify the SameSite attribute:
  2. Cookies without SameSite must be secure requires that all cookies without SameSite attribute need to be Secure as well. Cookies that fail to do so will be rejected.
Chrome Same Site

What you need to do?

If you want your cookies to be passed to third party usage and don’t want to get impacted because of this Chrome change, then you need to Set SameSite=None while setting the cookie response for browser Chrome.

Set-Cookie: key=value; Secure; SameSite=None
def isSameSiteApplicable(userAgent: String): Boolean = {
if (userAgent == "" || userAgent.length == 0)
false

val
chromeIndex = userAgent.toLowerCase.indexOf(CHROME)
if (chromeIndex != -1) {
val index = userAgent.indexOf(".", chromeIndex)
if (index != -1) {
val version = userAgent.substring(chromeIndex + CHROME.length, index)
if (toInteger(version) >= 67) true else false
}
else false
}
else
false

}
def toInteger(s: String): Int = {
try {
s.toInt
} catch {
case e: Exception => 0
}
}

Conclusion

The same-site attribute gives the possibility to disable third-party usage for any cookie. The feature improves protections against CSRF and other attacks significantly.

--

--

SDE-3 at PayPal

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store