You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
771 lines
16 KiB
771 lines
16 KiB
{ |
|
"title":"'SameSite' cookie attribute", |
|
"description":"Same-site cookies (\"First-Party-Only\" or \"First-Party\") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.", |
|
"spec":"https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07", |
|
"status":"other", |
|
"links":[ |
|
{ |
|
"url":"https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/", |
|
"title":"Preventing CSRF with the same-site cookie attribute" |
|
}, |
|
{ |
|
"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=795346", |
|
"title":"Mozilla Bug #795346: Add SameSite support for cookies" |
|
}, |
|
{ |
|
"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1286861", |
|
"title":"Mozilla Bug #1286861, includes the patches that landed SameSite support in Firefox" |
|
}, |
|
{ |
|
"url":"https://developer.microsoft.com/en-us/microsoft-edge/status/samesitecookies/", |
|
"title":"Microsoft Edge Browser Status" |
|
}, |
|
{ |
|
"url":"https://blogs.windows.com/msedgedev/2018/05/17/samesite-cookies-microsoft-edge-internet-explorer/", |
|
"title":"MS Edge dev blog: \"Previewing support for same-site cookies in Microsoft Edge\"" |
|
}, |
|
{ |
|
"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1551798", |
|
"title":"Mozilla Bug #1551798: Prototype SameSite=Lax by default" |
|
}, |
|
{ |
|
"url":"https://peaceful-wing.glitch.me", |
|
"title":"Same-site cookies demonstration by Rowan Merewood" |
|
} |
|
], |
|
"bugs":[ |
|
{ |
|
"description":"On [Safari in macOS before 10.14.4 and iOS before 12.2](https://bugs.webkit.org/show_bug.cgi?id=188165#c43), some authentication flows with a cross-site identity provider might fail when `SameSite=Lax` is used. See [the explanation and a workaround.](https://brockallen.com/2019/01/11/same-site-cookies-asp-net-core-and-external-authentication-providers/)" |
|
}, |
|
{ |
|
"description":"On [Safari before 12.1.1 and iOS before 12.3](https://trac.webkit.org/changeset/241918/webkit), manually visiting a redirection link to a cross-site omits `Lax` cookies from the cross-site request. See [the bug.](https://bugs.webkit.org/show_bug.cgi?id=196375)" |
|
} |
|
], |
|
"categories":[ |
|
"Security" |
|
], |
|
"stats":{ |
|
"ie":{ |
|
"5.5":"n", |
|
"6":"n", |
|
"7":"n", |
|
"8":"n", |
|
"9":"n", |
|
"10":"n", |
|
"11":"a #1 #2" |
|
}, |
|
"edge":{ |
|
"12":"n", |
|
"13":"n", |
|
"14":"n", |
|
"15":"n", |
|
"16":"y #1", |
|
"17":"y #1", |
|
"18":"y", |
|
"79":"y", |
|
"80":"y", |
|
"81":"y", |
|
"83":"y", |
|
"84":"y", |
|
"85":"y", |
|
"86":"y #3", |
|
"87":"y #3", |
|
"88":"y #3", |
|
"89":"y #3", |
|
"90":"y #3", |
|
"91":"y #3", |
|
"92":"y #3", |
|
"93":"y #3", |
|
"94":"y #3", |
|
"95":"y #3", |
|
"96":"y #3", |
|
"97":"y #3", |
|
"98":"y #3", |
|
"99":"y #3", |
|
"100":"y #3", |
|
"101":"y #3", |
|
"102":"y #3", |
|
"103":"y #3", |
|
"104":"y #3", |
|
"105":"y #3", |
|
"106":"y #3", |
|
"107":"y #3", |
|
"108":"y #3", |
|
"109":"y #3", |
|
"110":"y #3", |
|
"111":"y #3", |
|
"112":"y #3", |
|
"113":"y #3", |
|
"114":"y #3", |
|
"115":"y #3", |
|
"116":"y #3", |
|
"117":"y #3", |
|
"118":"y #3", |
|
"119":"y #3", |
|
"120":"y #3", |
|
"121":"y #3", |
|
"122":"y #3", |
|
"123":"y #3", |
|
"124":"y #3", |
|
"125":"y #3", |
|
"126":"y #3", |
|
"127":"y #3", |
|
"128":"y #3", |
|
"129":"y #3", |
|
"130":"y #3", |
|
"131":"y #3", |
|
"132":"y #3", |
|
"133":"y #3", |
|
"134":"y #3", |
|
"135":"y #3", |
|
"136":"y #3", |
|
"137":"y #3", |
|
"138":"y #3", |
|
"139":"y #3", |
|
"140":"y #3", |
|
"141":"y #3", |
|
"142":"y #3", |
|
"143":"y #3", |
|
"144":"y #3", |
|
"145":"y #3", |
|
"146":"y #3", |
|
"147":"y #3" |
|
}, |
|
"firefox":{ |
|
"2":"n", |
|
"3":"n", |
|
"3.5":"n", |
|
"3.6":"n", |
|
"4":"n", |
|
"5":"n", |
|
"6":"n", |
|
"7":"n", |
|
"8":"n", |
|
"9":"n", |
|
"10":"n", |
|
"11":"n", |
|
"12":"n", |
|
"13":"n", |
|
"14":"n", |
|
"15":"n", |
|
"16":"n", |
|
"17":"n", |
|
"18":"n", |
|
"19":"n", |
|
"20":"n", |
|
"21":"n", |
|
"22":"n", |
|
"23":"n", |
|
"24":"n", |
|
"25":"n", |
|
"26":"n", |
|
"27":"n", |
|
"28":"n", |
|
"29":"n", |
|
"30":"n", |
|
"31":"n", |
|
"32":"n", |
|
"33":"n", |
|
"34":"n", |
|
"35":"n", |
|
"36":"n", |
|
"37":"n", |
|
"38":"n", |
|
"39":"n", |
|
"40":"n", |
|
"41":"n", |
|
"42":"n", |
|
"43":"n", |
|
"44":"n", |
|
"45":"n", |
|
"46":"n", |
|
"47":"n", |
|
"48":"n", |
|
"49":"n", |
|
"50":"n", |
|
"51":"n", |
|
"52":"n", |
|
"53":"n", |
|
"54":"n", |
|
"55":"n", |
|
"56":"n", |
|
"57":"n", |
|
"58":"n", |
|
"59":"n", |
|
"60":"y", |
|
"61":"y", |
|
"62":"y", |
|
"63":"y", |
|
"64":"y", |
|
"65":"y", |
|
"66":"y", |
|
"67":"y", |
|
"68":"y", |
|
"69":"y", |
|
"70":"y", |
|
"71":"y", |
|
"72":"y", |
|
"73":"y", |
|
"74":"y", |
|
"75":"y", |
|
"76":"y", |
|
"77":"y", |
|
"78":"y", |
|
"79":"y", |
|
"80":"y", |
|
"81":"y", |
|
"82":"y", |
|
"83":"y", |
|
"84":"y", |
|
"85":"y", |
|
"86":"y", |
|
"87":"y", |
|
"88":"y", |
|
"89":"y", |
|
"90":"y", |
|
"91":"y", |
|
"92":"y", |
|
"93":"y", |
|
"94":"y", |
|
"95":"y", |
|
"96":"y", |
|
"97":"y", |
|
"98":"y", |
|
"99":"y", |
|
"100":"y", |
|
"101":"y", |
|
"102":"y", |
|
"103":"y", |
|
"104":"y", |
|
"105":"y", |
|
"106":"y", |
|
"107":"y", |
|
"108":"y", |
|
"109":"y", |
|
"110":"y", |
|
"111":"y", |
|
"112":"y", |
|
"113":"y", |
|
"114":"y", |
|
"115":"y", |
|
"116":"y", |
|
"117":"y", |
|
"118":"y", |
|
"119":"y", |
|
"120":"y", |
|
"121":"y", |
|
"122":"y", |
|
"123":"y", |
|
"124":"y", |
|
"125":"y", |
|
"126":"y", |
|
"127":"y", |
|
"128":"y", |
|
"129":"y", |
|
"130":"y", |
|
"131":"y", |
|
"132":"y", |
|
"133":"y", |
|
"134":"y", |
|
"135":"y", |
|
"136":"y", |
|
"137":"y", |
|
"138":"y", |
|
"139":"y", |
|
"140":"y", |
|
"141":"y", |
|
"142":"y", |
|
"143":"y", |
|
"144":"y", |
|
"145":"y", |
|
"146":"y", |
|
"147":"y", |
|
"148":"y", |
|
"149":"y", |
|
"150":"y", |
|
"151":"y", |
|
"152":"y", |
|
"153":"y" |
|
}, |
|
"chrome":{ |
|
"4":"n", |
|
"5":"n", |
|
"6":"n", |
|
"7":"n", |
|
"8":"n", |
|
"9":"n", |
|
"10":"n", |
|
"11":"n", |
|
"12":"n", |
|
"13":"n", |
|
"14":"n", |
|
"15":"n", |
|
"16":"n", |
|
"17":"n", |
|
"18":"n", |
|
"19":"n", |
|
"20":"n", |
|
"21":"n", |
|
"22":"n", |
|
"23":"n", |
|
"24":"n", |
|
"25":"n", |
|
"26":"n", |
|
"27":"n", |
|
"28":"n", |
|
"29":"n", |
|
"30":"n", |
|
"31":"n", |
|
"32":"n", |
|
"33":"n", |
|
"34":"n", |
|
"35":"n", |
|
"36":"n", |
|
"37":"n", |
|
"38":"n", |
|
"39":"n", |
|
"40":"n", |
|
"41":"n", |
|
"42":"n", |
|
"43":"n", |
|
"44":"n", |
|
"45":"n", |
|
"46":"n", |
|
"47":"n", |
|
"48":"n", |
|
"49":"n", |
|
"50":"n", |
|
"51":"y", |
|
"52":"y", |
|
"53":"y", |
|
"54":"y", |
|
"55":"y", |
|
"56":"y", |
|
"57":"y", |
|
"58":"y", |
|
"59":"y", |
|
"60":"y", |
|
"61":"y", |
|
"62":"y", |
|
"63":"y", |
|
"64":"y", |
|
"65":"y", |
|
"66":"y", |
|
"67":"y", |
|
"68":"y", |
|
"69":"y", |
|
"70":"y", |
|
"71":"y", |
|
"72":"y", |
|
"73":"y", |
|
"74":"y", |
|
"75":"y", |
|
"76":"y", |
|
"77":"y", |
|
"78":"y", |
|
"79":"y", |
|
"80":"y #3", |
|
"81":"y #3", |
|
"83":"y #3", |
|
"84":"y #3", |
|
"85":"y #3", |
|
"86":"y #3", |
|
"87":"y #3", |
|
"88":"y #3", |
|
"89":"y #3", |
|
"90":"y #3", |
|
"91":"y #3", |
|
"92":"y #3", |
|
"93":"y #3", |
|
"94":"y #3", |
|
"95":"y #3", |
|
"96":"y #3", |
|
"97":"y #3", |
|
"98":"y #3", |
|
"99":"y #3", |
|
"100":"y #3", |
|
"101":"y #3", |
|
"102":"y #3", |
|
"103":"y #3", |
|
"104":"y #3", |
|
"105":"y #3", |
|
"106":"y #3", |
|
"107":"y #3", |
|
"108":"y #3", |
|
"109":"y #3", |
|
"110":"y #3", |
|
"111":"y #3", |
|
"112":"y #3", |
|
"113":"y #3", |
|
"114":"y #3", |
|
"115":"y #3", |
|
"116":"y #3", |
|
"117":"y #3", |
|
"118":"y #3", |
|
"119":"y #3", |
|
"120":"y #3", |
|
"121":"y #3", |
|
"122":"y #3", |
|
"123":"y #3", |
|
"124":"y #3", |
|
"125":"y #3", |
|
"126":"y #3", |
|
"127":"y #3", |
|
"128":"y #3", |
|
"129":"y #3", |
|
"130":"y #3", |
|
"131":"y #3", |
|
"132":"y #3", |
|
"133":"y #3", |
|
"134":"y #3", |
|
"135":"y #3", |
|
"136":"y #3", |
|
"137":"y #3", |
|
"138":"y #3", |
|
"139":"y #3", |
|
"140":"y #3", |
|
"141":"y #3", |
|
"142":"y #3", |
|
"143":"y #3", |
|
"144":"y #3", |
|
"145":"y #3", |
|
"146":"y #3", |
|
"147":"y #3", |
|
"148":"y #3", |
|
"149":"y #3", |
|
"150":"y #3", |
|
"151":"y #3" |
|
}, |
|
"safari":{ |
|
"3.1":"n", |
|
"3.2":"n", |
|
"4":"n", |
|
"5":"n", |
|
"5.1":"n", |
|
"6":"n", |
|
"6.1":"n", |
|
"7":"n", |
|
"7.1":"n", |
|
"8":"n", |
|
"9":"n", |
|
"9.1":"n", |
|
"10":"n", |
|
"10.1":"n", |
|
"11":"n", |
|
"11.1":"n", |
|
"12":"a #4 #5", |
|
"12.1":"a #4 #5", |
|
"13":"a #4 #5", |
|
"13.1":"a #4 #5", |
|
"14":"a #5", |
|
"14.1":"a #5", |
|
"15":"y", |
|
"15.1":"y", |
|
"15.2-15.3":"y", |
|
"15.4":"y", |
|
"15.5":"y", |
|
"15.6":"y", |
|
"16.0":"y", |
|
"16.1":"y", |
|
"16.2":"y", |
|
"16.3":"y", |
|
"16.4":"y", |
|
"16.5":"y", |
|
"16.6":"y", |
|
"17.0":"y", |
|
"17.1":"y", |
|
"17.2":"y", |
|
"17.3":"y", |
|
"17.4":"y", |
|
"17.5":"y", |
|
"17.6":"y", |
|
"18.0":"y", |
|
"18.1":"y", |
|
"18.2":"y", |
|
"18.3":"y", |
|
"18.4":"y", |
|
"18.5-18.7":"y", |
|
"26.0":"y", |
|
"26.1":"y", |
|
"26.2":"y", |
|
"26.3":"y", |
|
"26.4":"y", |
|
"26.5":"y", |
|
"TP":"y" |
|
}, |
|
"opera":{ |
|
"9":"n", |
|
"9.5-9.6":"n", |
|
"10.0-10.1":"n", |
|
"10.5":"n", |
|
"10.6":"n", |
|
"11":"n", |
|
"11.1":"n", |
|
"11.5":"n", |
|
"11.6":"n", |
|
"12":"n", |
|
"12.1":"n", |
|
"15":"n", |
|
"16":"n", |
|
"17":"n", |
|
"18":"n", |
|
"19":"n", |
|
"20":"n", |
|
"21":"n", |
|
"22":"n", |
|
"23":"n", |
|
"24":"n", |
|
"25":"n", |
|
"26":"n", |
|
"27":"n", |
|
"28":"n", |
|
"29":"n", |
|
"30":"n", |
|
"31":"n", |
|
"32":"n", |
|
"33":"n", |
|
"34":"n", |
|
"35":"n", |
|
"36":"n", |
|
"37":"n", |
|
"38":"n", |
|
"39":"y", |
|
"40":"y", |
|
"41":"y", |
|
"42":"y", |
|
"43":"y", |
|
"44":"y", |
|
"45":"y", |
|
"46":"y", |
|
"47":"y", |
|
"48":"y", |
|
"49":"y", |
|
"50":"y", |
|
"51":"y", |
|
"52":"y", |
|
"53":"y", |
|
"54":"y", |
|
"55":"y", |
|
"56":"y", |
|
"57":"y", |
|
"58":"y", |
|
"60":"y", |
|
"62":"y", |
|
"63":"y", |
|
"64":"y", |
|
"65":"y", |
|
"66":"y", |
|
"67":"y", |
|
"68":"y", |
|
"69":"y", |
|
"70":"y", |
|
"71":"y #3", |
|
"72":"y #3", |
|
"73":"y #3", |
|
"74":"y #3", |
|
"75":"y #3", |
|
"76":"y #3", |
|
"77":"y #3", |
|
"78":"y #3", |
|
"79":"y #3", |
|
"80":"y #3", |
|
"81":"y #3", |
|
"82":"y #3", |
|
"83":"y #3", |
|
"84":"y #3", |
|
"85":"y #3", |
|
"86":"y #3", |
|
"87":"y #3", |
|
"88":"y #3", |
|
"89":"y #3", |
|
"90":"y #3", |
|
"91":"y #3", |
|
"92":"y #3", |
|
"93":"y #3", |
|
"94":"y #3", |
|
"95":"y #3", |
|
"96":"y #3", |
|
"97":"y #3", |
|
"98":"y #3", |
|
"99":"y #3", |
|
"100":"y #3", |
|
"101":"y #3", |
|
"102":"y #3", |
|
"103":"y #3", |
|
"104":"y #3", |
|
"105":"y #3", |
|
"106":"y #3", |
|
"107":"y #3", |
|
"108":"y #3", |
|
"109":"y #3", |
|
"110":"y #3", |
|
"111":"y #3", |
|
"112":"y #3", |
|
"113":"y #3", |
|
"114":"y #3", |
|
"115":"y #3", |
|
"116":"y #3", |
|
"117":"y #3", |
|
"118":"y #3", |
|
"119":"y #3", |
|
"120":"y #3", |
|
"121":"y #3", |
|
"122":"y #3", |
|
"123":"y #3", |
|
"124":"y #3", |
|
"125":"y #3", |
|
"126":"y #3", |
|
"127":"y #3", |
|
"131":"y #3" |
|
}, |
|
"ios_saf":{ |
|
"3.2":"n", |
|
"4.0-4.1":"n", |
|
"4.2-4.3":"n", |
|
"5.0-5.1":"n", |
|
"6.0-6.1":"n", |
|
"7.0-7.1":"n", |
|
"8":"n", |
|
"8.1-8.4":"n", |
|
"9.0-9.2":"n", |
|
"9.3":"n", |
|
"10.0-10.2":"n", |
|
"10.3":"n", |
|
"11.0-11.2":"n", |
|
"11.3-11.4":"n", |
|
"12.0-12.1":"a #5", |
|
"12.2-12.5":"a #5", |
|
"13.0-13.1":"y", |
|
"13.2":"y", |
|
"13.3":"y", |
|
"13.4-13.7":"y", |
|
"14.0-14.4":"y", |
|
"14.5-14.8":"y", |
|
"15.0-15.1":"y", |
|
"15.2-15.3":"y", |
|
"15.4":"y", |
|
"15.5":"y", |
|
"15.6-15.8":"y", |
|
"16.0":"y", |
|
"16.1":"y", |
|
"16.2":"y", |
|
"16.3":"y", |
|
"16.4":"y", |
|
"16.5":"y", |
|
"16.6-16.7":"y", |
|
"17.0":"y", |
|
"17.1":"y", |
|
"17.2":"y", |
|
"17.3":"y", |
|
"17.4":"y", |
|
"17.5":"y", |
|
"17.6-17.7":"y", |
|
"18.0":"y", |
|
"18.1":"y", |
|
"18.2":"y", |
|
"18.3":"y", |
|
"18.4":"y", |
|
"18.5-18.7":"y", |
|
"26.0":"y", |
|
"26.1":"y", |
|
"26.2":"y", |
|
"26.3":"y", |
|
"26.4":"y", |
|
"26.5":"y" |
|
}, |
|
"op_mini":{ |
|
"all":"n" |
|
}, |
|
"android":{ |
|
"2.1":"n", |
|
"2.2":"n", |
|
"2.3":"n", |
|
"3":"n", |
|
"4":"n", |
|
"4.1":"n", |
|
"4.2-4.3":"n", |
|
"4.4":"n", |
|
"4.4.3-4.4.4":"n", |
|
"147":"y" |
|
}, |
|
"bb":{ |
|
"7":"n", |
|
"10":"n" |
|
}, |
|
"op_mob":{ |
|
"10":"n", |
|
"11":"n", |
|
"11.1":"n", |
|
"11.5":"n", |
|
"12":"n", |
|
"12.1":"n", |
|
"80":"y #3" |
|
}, |
|
"and_chr":{ |
|
"147":"y #3" |
|
}, |
|
"and_ff":{ |
|
"150":"y" |
|
}, |
|
"ie_mob":{ |
|
"10":"n", |
|
"11":"n" |
|
}, |
|
"and_uc":{ |
|
"15.5":"n" |
|
}, |
|
"samsung":{ |
|
"4":"n", |
|
"5.0-5.4":"y", |
|
"6.2-6.4":"y", |
|
"7.2-7.4":"y", |
|
"8.2":"y", |
|
"9.2":"y", |
|
"10.1":"y", |
|
"11.1-11.2":"y", |
|
"12.0":"y", |
|
"13.0":"y", |
|
"14.0":"y", |
|
"15.0":"y", |
|
"16.0":"y", |
|
"17.0":"y", |
|
"18.0":"y", |
|
"19.0":"y", |
|
"20":"y", |
|
"21":"y", |
|
"22":"y", |
|
"23":"y", |
|
"24":"y", |
|
"25":"y", |
|
"26":"y", |
|
"27":"y", |
|
"28":"y", |
|
"29":"y" |
|
}, |
|
"and_qq":{ |
|
"14.9":"u" |
|
}, |
|
"baidu":{ |
|
"13.52":"y #3" |
|
}, |
|
"kaios":{ |
|
"2.5":"n", |
|
"3.0-3.1":"y" |
|
} |
|
}, |
|
"notes":"This feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients.", |
|
"notes_by_num":{ |
|
"1":"Not shipped with the initial release but later with the 2018 June security update (Patch Tuesday) to Windows 10 RS3 (2017 Fall Creators Update) and newer. [More info](https://github.com/MicrosoftEdge/Status/issues/616).", |
|
"2":"Partial support because only supported in IE 11 on Windows 10 RS3 (2017 Fall Creators Update) and newer, but not in IE 11 on other Windows versions (Windows 7, ...)", |
|
"3":"Cookies without `SameSite` are treated as `Lax` by default, `SameSite=None` cookies without `Secure` are rejected.", |
|
"4":"Partial due to the lack of support in macOS before 10.14 Mojave.", |
|
"5":"Partial due to [the bug](https://bugs.webkit.org/show_bug.cgi?id=198181) that treats `SameSite=None` and invalid values as `Strict` in macOS before 10.15 Catalina and in iOS before 13." |
|
}, |
|
"usage_perc_y":94.5, |
|
"usage_perc_a":0.23, |
|
"ucprefix":false, |
|
"parent":"", |
|
"keywords":"security,cookies,cookie,csrf", |
|
"chrome_id":"4672634709082112,5088147346030592,5633521622188032", |
|
"shown":true |
|
}
|
|
|