13

When reading about SameSite attribute I came across the term top-level navigation.

As I understood it, it's when user has website1.com open in browser and then clicks the link that navigates browser to some other site eg. website2.com. But this is a loose definition.

So what exactly is top-level navigation in browser terminology? Is there some specification or RFC with strict definition of this term?

Can it be triggered in ways other than clicking a link that leads to another website (ie. having <a href="website2.com">website2.com</a> on website1.com)? What about if I just enter website2.com url directly in the browser's navigation bar, is that considered a top-level navigation?

Also, is top-level navigation important in other areas of browser/http/security beside using it with cookies and SameSite attribute?

mlst
  • 2,688
  • 7
  • 27
  • 57
  • 3
    *“top-level navigation”* is shorthand for *“navigating a top-level browsing context”*, and the relevant RFC here is https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis, which is an update to https://datatracker.ietf.org/doc/html/rfc6265. See specifically substep 3 at https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#page-32. – sideshowbarker May 25 '21 at 14:55
  • 3
    And for the definition of *“top-level browsing context”*, see https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context — *“A browsing context that has no parent browsing context is the top-level browsing context for itself and all of the browsing contexts for which it is an ancestor browsing context.”* – sideshowbarker May 25 '21 at 15:01
  • 1
    So, further navigation within "website2.com" is not a top-level navigation anymore? It's just the "first access" to the linked website? – Eric Burel Dec 19 '22 at 11:03
  • @EricBurel that is my current guess as well (*if I can confirm this I can put it as an answer*), where as the OP says an anchor tag at *website1.com* navigating you to *website2.com* is TLN (*top level navigation*), but hardcoding the URL while **at** *website1.com* to *website2.com* (enter) is not a TLN. Hence why the `strict` value means that *website1.com* navigating to ***login**.website1.com* at a different subdomain ([*even with the same domain*](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value)) means no cookies will be sent. – Aleksandar Apr 20 '23 at 18:31
  • In an example where *website1.com* is a gaming site and a user has received "*1 free skin*", when the user opens the confirmation e-mail at "*gmail.com*" which leads them to "*website1.com/free?skin=abc*" then auth-cookie with "*sameSite: 'Lax'*" will successfully verify the user and grant them *1 free skin* VS a same situation with auth-cookie with "*sameSite: 'Strict'*" will **not** be send to the server and the request would fail and the user won't receive anything. – Aleksandar Apr 20 '23 at 18:47

1 Answers1

4

Basically, TOP LEVEL navigation changes the URL in your address bar. Resources that are loaded by iframe, img tags, and script tags do not change the URL in the address bar so none of them cause TOP LEVEL navigation.

Shehryar Tariq
  • 33
  • 4