Add a guideline on SameSite #16
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Perhaps this is too detailed, compared with the other guidelines in this document? |
aaronshim
approved these changes
Mar 24, 2025
docs/security_guidelines.md
Outdated
| @@ -48,6 +48,29 @@ A CSP helps mitigate [cross-site scripting (XSS)](https://developer.mozilla.org/ | |||
| - [Content Security Policy Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) (OWASP) | |||
| - [Strict CSP guide](https://web.dev/articles/strict-csp) (web.dev) | |||
|
|
|||
| ### Set the SameSite attribute on sensitive cookies | |||
|
|
|||
| The [`SameSite`]() cookie attribute is a defense in depth against a variety of attacks, including [clickjacking](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Clickjacking), [CSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF) and various [cross-site leaks](https://xsleaks.dev/). It takes one of three values: `Strict`, `Lax`, or `None`. | |||
There was a problem hiding this comment.
Is [`SameSite`]() supposed to have a link?
There was a problem hiding this comment.
it has one:
but the empty parens need to be removed. I added a suggestion for that
There was a problem hiding this comment.
Yes, I missed this, but didn't intend to make it a reference link. I will push an update to fix it.
| - `Lax` for cookies that you will use to decide if a logged-in user should be shown a page | ||
| - `Strict` for cookies that you will use to authorize requests that carry out some sensitive action, such as transferring money or changing the user's settings. | ||
|
|
||
| Note that `Lax` is the default value in some but not all browsers, and in those browsers, the implementation of `Lax` when it is the default is more permissive than the normal implementation of `Lax`. This means that you should actively set `Lax`, and not rely on it being the default. |
There was a problem hiding this comment.
default value in some but not all browsers
Do we know whether this is likely to change in the future?
There was a problem hiding this comment.
For Firefox, this is the best I could find: https://bugzilla.mozilla.org/show_bug.cgi?id=1617609#c26. Short answer, no, not in the forseeable future.
There was a problem hiding this comment.
See also mdn/content#36931.
docs/security_guidelines.md
Outdated
| As a general guide, then, you should try to use `Strict` for some cookies and `Lax` for others: | ||
|
|
||
| - `Lax` for cookies that you will use to decide if a logged-in user should be shown a page | ||
| - `Strict` for cookies that you will use to authorize requests that carry out some sensitive action, such as transferring money or changing the user's settings. |
There was a problem hiding this comment.
some sensitive action
I wonder whether we should mention that a good rule-of-thumb for this sensitivity is whether the action is "state-changing" (which is exactly what you're implying in the examples you've cited)!
ctcpip
reviewed
Mar 25, 2025
docs/security_guidelines.md
Outdated
| @@ -48,6 +48,29 @@ A CSP helps mitigate [cross-site scripting (XSS)](https://developer.mozilla.org/ | |||
| - [Content Security Policy Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html) (OWASP) | |||
| - [Strict CSP guide](https://web.dev/articles/strict-csp) (web.dev) | |||
|
|
|||
| ### Set the SameSite attribute on sensitive cookies | |||
|
|
|||
| The [`SameSite`]() cookie attribute is a defense in depth against a variety of attacks, including [clickjacking](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Clickjacking), [CSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF) and various [cross-site leaks](https://xsleaks.dev/). It takes one of three values: `Strict`, `Lax`, or `None`. | |||
There was a problem hiding this comment.
Suggested change
| The [`SameSite`]() cookie attribute is a defense in depth against a variety of attacks, including [clickjacking](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Clickjacking), [CSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF) and various [cross-site leaks](https://xsleaks.dev/). It takes one of three values: `Strict`, `Lax`, or `None`. | |
| The [`SameSite`] cookie attribute is a defense in depth against a variety of attacks, including [clickjacking](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Clickjacking), [CSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF) and various [cross-site leaks](https://xsleaks.dev/). It takes one of three values: `Strict`, `Lax`, or `None`. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #14.
Adds a guideline on
SameSite.