This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "SameSite"
From OWASP
| Line 1: | Line 1: | ||
| − | == Overview == | + | {{Stub}}== Overview == |
SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks. | SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks. | ||
| Line 10: | Line 10: | ||
* http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ | * http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ | ||
* https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/ | * https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/ | ||
| − | |||
| − | |||
Revision as of 01:11, 21 June 2016
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Overview
SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.
The "SameSite" attribute is not fully implemented yet. At the time of this article the attribute was defined in a RFC draft available here https://tools.ietf.org/html/draft-west-first-party-cookies-07.
