Goodbye CSRF - SameSite to the rescue!

SameSite-cookies is a mechanism for defining how cookies should be sent over domains. This is a security mechanism developed by Google and is at this moment present in Chrome-dev(51.0.2704.4). The purpose of SameSite-cookies is [try] to prevent CSRF and XSSI-attacks. You can read the draft here.


SameSite-cookies is something I've kept an eye on for very long time now and to see it's finally working in Chrome-dev is absolutely great news! This means that if you have a website that uses cookies you should start to support SameSite-cookies. In fact, it's extremely easy; you just add the SameSite-attribute in the Set-Cookie-field. Remember that SameSite requires a value(it will be set to Strictif no value is set), that is, Lax or Strict. You can read about these attributes in the draft, but I'll try to them to explain them so you can easier understand how they work.

The syntax is SameSite=<value>, example SameSite=Lax

Strict

Strict is the most robust protection and will probably protect against all CSRF-attacks. However it's far from user friendly because it [tries] to protect against CSRF that is in GET.

Example: If a user clicked(GET) on a link on reddit.com leading to facebook.com and facebook.com uses Strict-samesite-cookies the user will not be logged in on facebook.com because the browser will not allow to send cookies from domain A to domain B.

Lax

The Lax (relax?) attribute solves the above issue by only stopping cookies to be sent cross-domain if it uses "dangerous" HTTP-methods, in this case POST.

Example 1: If a user clicked(GET) on a link on reddit.com leading to facebook.com and facebook.com uses Lax-samesite-cookies the user will be logged in on facebook.com because the browser do allow to send cookies from domain A to domain B.

Example 2: If a user submitted(POST) a form on reddit.com and the target is facebook.com and is using Lax-samesite-cookies the browser will not allow to send cookies from domain A to domain B.


Beware

Lax does not give a full protection against CSRF and/or XSSI-attacks as said in the draft. But I do feel that you should start by using Lax and then work towards a better CSRF-mitigation to later use the Strict-attribute.

Also, make sure not to set SameSite(-attributes) on all your cookies because some cookies are used for different things. If your site uses a session cookie this could have the Lax-attribute and let the rest have Strict. For me this worked because with all cookies having Strict I was logged out when navigating away or to my site.