4

The user is on site-a.com and there is an iframe with site-b.com. site-b.com makes GET request back to site-a.com (inside iframe). Will Lax cookies for cross-site GET to site-a.com be send with the request?

To be more clear:

  • Before GET request: site-b.com iframed in site-a.com
  • After GET request: site-a.com iframed in site-a.com

From my observation in Chrome 91 canary this cookie is blocked, while it is not blocked in Chrome 88. I thought that only Lax+POST is problematic but it looks like also Lax+GET is now blocked in some cases. Is there any information/spec. about cross-site GET+Lax cookies?

CoperNick
  • 2,413
  • 2
  • 21
  • 26

1 Answers1

7

First off, the request from site-b.com to site-a.com is a cross-site request. Doesn't matter if it's a GET or POST, the fact that it's between two different registrable domains (a.k.a. eTLD+1s) means it's cross-site.

The specification allows for Lax cookies to be sent with cross-site requests only if they are top-level requests AND have a safe method (GET, but not POST):

   *  If the cookie's same-site-flag is not "None", and the HTTP
      request is cross-site (as defined in Section 5.2) then exclude
      the cookie unless all of the following statements hold:

      1.  The same-site-flag is "Lax" or "Default".

      2.  The HTTP request's method is "safe".

      3.  The HTTP request's target browsing context is a top-level
          browsing context.

A request inside an iframe is not a top-level request, hence Lax cookies aren't sent with a cross-site request on an iframe, regardless of what the request method is.

Chrome used to have a bug in this behavior, where the top-level requirement wasn't followed exactly. (It used to be that Chrome would send Lax cookies if the iframe and all of its ancestors matched the top level. This was buggy because the spec says it literally needs to be the top level.) What you're seeing is the correct behavior after the bug was fixed in Chrome 90.

Community
  • 1
  • 1
chlily
  • 2,637
  • 1
  • 8
  • 9
  • I don't want to switch to SameSite=None. Do you think that using redirect after cross-site GET would be a good solution or redirect will be considered as a continuation of cross-site request considered also as a cross-site request in v90 or in future versions? – CoperNick Mar 18 '21 at 00:43
  • If the request is B->A-(redirect)->A, it is still considered a cross-site request because the origin initiating the request is site B and you ultimately end up on site A. SameSite=None is one option (probably the most natural option, given that you are fundamentally working with a cross-site request in this scenario). Another option is to do a same-site navigation (not a redirect) following the initial cross-site request, e.g. location.href or have the user click a link. – chlily Mar 18 '21 at 03:37
  • Let me explain why I'm thinking about different solution than setting SameSite=None. 1. I think that recent changes to cookie behavior brings as to the new security level and setting SameSite=None feels to me similar to staying in old unsafe mode. (correct me if I'm wrong) 2. Our product is quite big so I want to allow cross-site requests only for specific pages. 3 We are managing clients money. – CoperNick Mar 18 '21 at 12:52
  • Can you convert the GET into a top-level navigation? Then you could use lax mode. If you have cross-site requests on certain pages only, but want SameSite for other pages, consider using two cookies (one with SameSite=None and another in Lax mode). See this section of the spec which sort of hints at the same approach (except for two separate cookies that are Lax and Strict): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07#section-8.8.2 – chlily Mar 18 '21 at 14:17
  • I think you got the following wrong: "A request inside an iframe is not a top-level request, hence Lax cookies aren't sent with a cross-site request on an iframe, regardless of what the request method is.". What matters is if the _target_ browsing context is a top-level domain and not the source/origin browsing context. You can make a request from an `iframe` that targets a top level window (using `_blank` for example), in which case, if the request method is safe, a cookie with a `SameSite` of `Lax` will be sent. – Duarte Cunha Leão Nov 12 '21 at 18:34