SameSite: The CSRF Killer
In this lesson, we'll look at the SameSite flag.
We'll cover the following...
Introduction
Last but not least, let’s look at the SameSite
flag, one of the latest entries in the cookie world.
Introduced by Google Chrome v51, this flag effectively eliminates Cross-Site Request Forgery (CSRF) from the web, SameSite
is a simple yet groundbreaking innovation as previous solutions to CSRF attacks were either incomplete or too much of a burden to site owners.
In order to understand SameSite
, we first need to have a look at the vulnerability it neutralizes. A CSRF is an unwanted request made by site A to site B while the user is authenticated on site B.
Sounds complicated? Let me rephrase, suppose that you are logged in on your banking website, which has a mechanism to transfer money based on an HTML <form>
and a few additional parameters like destination account and amount. When the website receives a POST
request with those parameters and your session cookie, it will process the transfer. Now, suppose a malicious third party website sets up an HTML form as such.
<form action="https://bank.com/transfer" method="POST">
<input type="hidden" name="destination" value="attacker@email.com" />
<input type="hidden" name="amount" value="1000" />
<input type="submit" value="CLICK HERE TO WIN A HUMMER" />
</form>
...