6

So I've read about Chrome 80's cookies defaulting to SameSite=Lax and like the rest of you, I'm now trying to mesure the impact this will have on my site.

The site I'm running is split on several sub-domains and each of them uses their own cookie. It looks like this:

  • first-site.domain.com uses Cookie1 (path=/; secure; httponly)
  • second-site.domain.com uses Cookie2 (path=/; secure; httponly)

Since these cookies do not specify the SameSite attribute, they are supposed to be treated as Lax on Chrome 80 and therefore should be limited to same-site requests (unless it's a top level navigation).

Then, according to SameSite cookies explained:

If the user is on your-project.github.io and requests an image from my-project.github.io that's a cross-site request.

So when I enabled the “SameSite by default cookies” and “Cookies without SameSite must be secure” flags, I was surprised to observe that when first-site.domain.com embeds second-site.domain.com in a frame, Cookie2 was still being sent to second-site.domain.com, which seems contradictory.

Surely I must have misunderstood something, but at the moment, I'm still puzzled.

Note: I've verified that when I embed second-site.domain.com in a frame on anotherdomain.com, the cookies are not sent by the browser (as expected).

Gyum Fox
  • 3,287
  • 2
  • 41
  • 71

1 Answers1

14

If "domain.com" is on the public suffix list, then subdomain1.domain.com and subdomain2.domain.com are considered different sites. Otherwise, they are considered the same site.

The relevant notion of "site" when it comes to SameSite cookies is the eTLD+1 (effective Top Level Domain + 1 label). An effective Top Level Domain is something like .com or .co.uk or .github.io. All the eTLD's are listed on the public suffix list.

An eTLD+1 is the effective Top Level Domain plus the 1 label immediately to its left. The eTLD+1 is also called the "registrable domain". The intuition is that two different eTLD+1's are controlled by different entities, and everything that is a subdomain of the same eTLD+1 is controlled by the same entity. For example, mysite.github.io is a different eTLD+1 than yoursite.github.io, because I cannot modify your site, and you can't modify mine. On the other hand, the same company owns both subdomain1.domain.com and subdomain2.domain.com and modify both sites.

If the eTLD+1's are the same for two domain names, they are considered the same site for the purposes of SameSite cookies.

chlily
  • 2,637
  • 1
  • 8
  • 9
  • 3
    So this means that while _your-project.github.io_ and _my-project.github.io_ are treated as separate sites (because github.io is the TLD), _first-site.domain.com_ and _second-site.domain.com_ are treated as the same site (because .com is the TLD). Did I understand you correctly? – Gyum Fox Jan 16 '20 at 16:55
  • @GyumFox indeed because as he writes above "An effective Top Level Domain is something like .com or .co.uk or .github.io. All the eTLD's are listed on the public suffix list." But oh boy what a complete and self-contained answer. Had to reread it 15 times meticulously to make sure I fully get it. Thanks much to OP – Karen Grigoryan Feb 03 '21 at 21:15