Yesterday's release of build 17672 may not have been tremendously exciting in terms of new features - especially after the feature-packed build 17666 - but the list of improvements included one important change that might have gone unnoticed: support for same-site cookies in Microsoft Edge and Internet Explorer 11.
Today, the company detailed the feature in a blog post, explaining how it aims to protect users from cross-site request forgery (CSFR) attacks. Web developers will be able to set the SameSite attribute on cookies on their website, which will prevent cookies from being sent from the website to external domains.
Historically, sites such as example.com that make “cross-origin” requests to other domains such as microsoft.com have generally caused the browser to send microsoft.com’s cookies as part of the request. Normally, the user benefits by being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defense in depth against CSRF attacks.
Sites can now set the SameSite attribute on cookies of their choosing via the Set-Cookie header or by using the document.cookie JavaScript property, thus preventing the default browser behavior of sending cookies in cross-site requests either in all cross-site requests (via the “strict” value) or only in some less sensitive requests (via the “lax” value).
More specifically, if the strict attribute is specified for when a same-site cookie is set, it will not be sent for any cross-site request, which includes clicking on links from external sites. Since the logged-in state is stored as a SameSite=Strict cookie, when a user clicks such a link it will initially appear as if the user is not logged in.
On the other hand, if the lax attribute is specified for when a same-site cookie is set, it will not be sent for cross-origin sub-resource requests such as images. However, the SameSite=Lax cookies will be sent when navigating from an external site, such as when a link is clicked.
For developers worried about backward compatibility, Microsoft clarifies that browsers which don't support same-site cookies will simply ignore the attribute and process the cookies as expected, meaning the feature won't negatively impact browsers that don't support it.
Even though it's currently being tested in the Redstone 5 development branch, Microsoft says the feature will be added to Microsoft Edge and Internet Explorer 11 on the Windows 10 Creators Update and newer, which suggests that finalized support could be added without having to wait for the next major Windows 10 update in the fall.
Source: Windows Blogs
5 Comments - Add comment