mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
Changing SameSite table for comprehensiveness
The table of the SameSite cookie flag used the term `Normal`, which is taken from the Invicti website, but could be misleading . Changing it in favor of `NotSet`. Further, adding `None` to the table for comprehensiveness. Finally, adding a hint to `NotSet` in the table, because of the changing default behavior of browsers. Also fixing a typo in a keyword.
This commit is contained in:
parent
774f8d1df8
commit
6b80e74f37
1 changed files with 11 additions and 11 deletions
|
@ -144,20 +144,20 @@ This will indicate to the browser if the **cookie** can be sent **from other dom
|
||||||
* **Lax**: The cookie will be sent along with the GET request initiated by third party websites.
|
* **Lax**: The cookie will be sent along with the GET request initiated by third party websites.
|
||||||
* **None**: The cookie is sent from any third party domain
|
* **None**: The cookie is sent from any third party domain
|
||||||
|
|
||||||
| **Request Type** | **Example Code** | **Cookies sent** |
|
| **Request Type** | **Example Code** | **Cookies Sent When** |
|
||||||
| ---------------- | ---------------------------------- | ---------------- |
|
| ---------------- | ---------------------------------- | --------------------- |
|
||||||
| Link | \<a href="...">\</a> | Normal, Lax |
|
| Link | \<a href="...">\</a> | NotSet*, Lax, None |
|
||||||
| Perender | \<link rel="prerender" href=".."/> | Normal, Lax |
|
| Prerender | \<link rel="prerender" href=".."/> | NotSet*, Lax, None |
|
||||||
| Form GET | \<form method="GET" action="..."> | Normal, Lax |
|
| Form GET | \<form method="GET" action="..."> | NotSet*, Lax, None |
|
||||||
| Form POST | \<form method="POST" action="..."> | Normal |
|
| Form POST | \<form method="POST" action="..."> | NotSet*, None |
|
||||||
| iframe | \<iframe src="...">\</iframe> | Normal |
|
| iframe | \<iframe src="...">\</iframe> | NotSet*, None |
|
||||||
| AJAX | $.get("...") | Normal |
|
| AJAX | $.get("...") | NotSet*, None |
|
||||||
| Image | \<img src="..."> | Normal |
|
| Image | \<img src="..."> | NetSet*, None |
|
||||||
|
|
||||||
Table from [here](https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/)\
|
Table from [Invicti](https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/) and slightly modified.\
|
||||||
A cookie with _**SameSite**_ attribute will **mitigate CSRF attacks** where a logged session is needed.
|
A cookie with _**SameSite**_ attribute will **mitigate CSRF attacks** where a logged session is needed.
|
||||||
|
|
||||||
**Notice that from Chrome80 (feb/2019) the default behaviour of a cookie without a cookie samesite** **attribute will be lax** ([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)).\
|
**\*Notice that from Chrome80 (feb/2019) the default behaviour of a cookie without a cookie samesite** **attribute will be lax** ([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)).\
|
||||||
Notice that temporary, after applying this change, the **cookies without a SameSite** **policy** in Chrome will be **treated as None** during the **first 2 minutes and then as Lax for top-level cross-site POST request.**
|
Notice that temporary, after applying this change, the **cookies without a SameSite** **policy** in Chrome will be **treated as None** during the **first 2 minutes and then as Lax for top-level cross-site POST request.**
|
||||||
|
|
||||||
## Cookies Flags
|
## Cookies Flags
|
||||||
|
|
Loading…
Reference in a new issue