441 lines
9.7 KiB
JSON
441 lines
9.7 KiB
JSON
|
{
|
||
|
"title":"'SameSite' cookie attribute",
|
||
|
"description":"Same-site cookies (\"First-Party-Only\" or \"First-Party\") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.",
|
||
|
"spec":"https://tools.ietf.org/html/draft-west-first-party-cookies-06",
|
||
|
"status":"other",
|
||
|
"links":[
|
||
|
{
|
||
|
"url":"http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/",
|
||
|
"title":"Preventing CSRF with the same-site cookie attribute"
|
||
|
},
|
||
|
{
|
||
|
"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=795346",
|
||
|
"title":"Mozilla Bug #795346: Add SameSite support for cookies"
|
||
|
},
|
||
|
{
|
||
|
"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1286861",
|
||
|
"title":"Mozilla Bug #1286861, includes the patches that landed SameSite support in Firefox"
|
||
|
},
|
||
|
{
|
||
|
"url":"https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/17140412-support-samesite-cookie-option",
|
||
|
"title":"Microsoft Edge feature request on UserVoice"
|
||
|
},
|
||
|
{
|
||
|
"url":"https://developer.microsoft.com/en-us/microsoft-edge/platform/status/samesitecookies/",
|
||
|
"title":"Microsoft Edge Browser Status"
|
||
|
},
|
||
|
{
|
||
|
"url":"https://blogs.windows.com/msedgedev/2018/05/17/samesite-cookies-microsoft-edge-internet-explorer/",
|
||
|
"title":"MS Edge dev blog: \"Previewing support for same-site cookies in Microsoft Edge\""
|
||
|
},
|
||
|
{
|
||
|
"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1551798",
|
||
|
"title":"Mozilla Bug #1551798: Prototype SameSite=Lax by default"
|
||
|
},
|
||
|
{
|
||
|
"url":"https://peaceful-wing.glitch.me",
|
||
|
"title":"Same-site cookies demonstration by Rowan Merewood"
|
||
|
}
|
||
|
],
|
||
|
"bugs":[
|
||
|
{
|
||
|
"description":"On [Safari in macOS before 10.14.4 and iOS before 12.2](https://bugs.webkit.org/show_bug.cgi?id=188165#c43), some authentication flows with a cross-site identity provider might fail when `SameSite=Lax` is used. See [the explanation and a workaround.](https://brockallen.com/2019/01/11/same-site-cookies-asp-net-core-and-external-authentication-providers/)"
|
||
|
},
|
||
|
{
|
||
|
"description":"On [Safari before 12.1.1 and iOS before 12.3](https://trac.webkit.org/changeset/241918/webkit), manually visiting a redirection link to a cross-site omits `Lax` cookies from the cross-site request. See [the bug.](https://bugs.webkit.org/show_bug.cgi?id=196375)"
|
||
|
}
|
||
|
],
|
||
|
"categories":[
|
||
|
"Security"
|
||
|
],
|
||
|
"stats":{
|
||
|
"ie":{
|
||
|
"5.5":"n",
|
||
|
"6":"n",
|
||
|
"7":"n",
|
||
|
"8":"n",
|
||
|
"9":"n",
|
||
|
"10":"n",
|
||
|
"11":"a #1 #2"
|
||
|
},
|
||
|
"edge":{
|
||
|
"12":"n",
|
||
|
"13":"n",
|
||
|
"14":"n",
|
||
|
"15":"n",
|
||
|
"16":"y #1",
|
||
|
"17":"y #1",
|
||
|
"18":"y",
|
||
|
"79":"y",
|
||
|
"80":"y",
|
||
|
"81":"y",
|
||
|
"83":"y",
|
||
|
"84":"y"
|
||
|
},
|
||
|
"firefox":{
|
||
|
"2":"n",
|
||
|
"3":"n",
|
||
|
"3.5":"n",
|
||
|
"3.6":"n",
|
||
|
"4":"n",
|
||
|
"5":"n",
|
||
|
"6":"n",
|
||
|
"7":"n",
|
||
|
"8":"n",
|
||
|
"9":"n",
|
||
|
"10":"n",
|
||
|
"11":"n",
|
||
|
"12":"n",
|
||
|
"13":"n",
|
||
|
"14":"n",
|
||
|
"15":"n",
|
||
|
"16":"n",
|
||
|
"17":"n",
|
||
|
"18":"n",
|
||
|
"19":"n",
|
||
|
"20":"n",
|
||
|
"21":"n",
|
||
|
"22":"n",
|
||
|
"23":"n",
|
||
|
"24":"n",
|
||
|
"25":"n",
|
||
|
"26":"n",
|
||
|
"27":"n",
|
||
|
"28":"n",
|
||
|
"29":"n",
|
||
|
"30":"n",
|
||
|
"31":"n",
|
||
|
"32":"n",
|
||
|
"33":"n",
|
||
|
"34":"n",
|
||
|
"35":"n",
|
||
|
"36":"n",
|
||
|
"37":"n",
|
||
|
"38":"n",
|
||
|
"39":"n",
|
||
|
"40":"n",
|
||
|
"41":"n",
|
||
|
"42":"n",
|
||
|
"43":"n",
|
||
|
"44":"n",
|
||
|
"45":"n",
|
||
|
"46":"n",
|
||
|
"47":"n",
|
||
|
"48":"n",
|
||
|
"49":"n",
|
||
|
"50":"n",
|
||
|
"51":"n",
|
||
|
"52":"n",
|
||
|
"53":"n",
|
||
|
"54":"n",
|
||
|
"55":"n",
|
||
|
"56":"n",
|
||
|
"57":"n",
|
||
|
"58":"n",
|
||
|
"59":"n",
|
||
|
"60":"y",
|
||
|
"61":"y",
|
||
|
"62":"y",
|
||
|
"63":"y",
|
||
|
"64":"y",
|
||
|
"65":"y",
|
||
|
"66":"y",
|
||
|
"67":"y",
|
||
|
"68":"y",
|
||
|
"69":"y",
|
||
|
"70":"y",
|
||
|
"71":"y",
|
||
|
"72":"y",
|
||
|
"73":"y",
|
||
|
"74":"y",
|
||
|
"75":"y",
|
||
|
"76":"y",
|
||
|
"77":"y",
|
||
|
"78":"y",
|
||
|
"79":"y",
|
||
|
"80":"y",
|
||
|
"81":"y",
|
||
|
"82":"y"
|
||
|
},
|
||
|
"chrome":{
|
||
|
"4":"n",
|
||
|
"5":"n",
|
||
|
"6":"n",
|
||
|
"7":"n",
|
||
|
"8":"n",
|
||
|
"9":"n",
|
||
|
"10":"n",
|
||
|
"11":"n",
|
||
|
"12":"n",
|
||
|
"13":"n",
|
||
|
"14":"n",
|
||
|
"15":"n",
|
||
|
"16":"n",
|
||
|
"17":"n",
|
||
|
"18":"n",
|
||
|
"19":"n",
|
||
|
"20":"n",
|
||
|
"21":"n",
|
||
|
"22":"n",
|
||
|
"23":"n",
|
||
|
"24":"n",
|
||
|
"25":"n",
|
||
|
"26":"n",
|
||
|
"27":"n",
|
||
|
"28":"n",
|
||
|
"29":"n",
|
||
|
"30":"n",
|
||
|
"31":"n",
|
||
|
"32":"n",
|
||
|
"33":"n",
|
||
|
"34":"n",
|
||
|
"35":"n",
|
||
|
"36":"n",
|
||
|
"37":"n",
|
||
|
"38":"n",
|
||
|
"39":"n",
|
||
|
"40":"n",
|
||
|
"41":"n",
|
||
|
"42":"n",
|
||
|
"43":"n",
|
||
|
"44":"n",
|
||
|
"45":"n",
|
||
|
"46":"n",
|
||
|
"47":"n",
|
||
|
"48":"n",
|
||
|
"49":"n",
|
||
|
"50":"n",
|
||
|
"51":"y",
|
||
|
"52":"y",
|
||
|
"53":"y",
|
||
|
"54":"y",
|
||
|
"55":"y",
|
||
|
"56":"y",
|
||
|
"57":"y",
|
||
|
"58":"y",
|
||
|
"59":"y",
|
||
|
"60":"y",
|
||
|
"61":"y",
|
||
|
"62":"y",
|
||
|
"63":"y",
|
||
|
"64":"y",
|
||
|
"65":"y",
|
||
|
"66":"y",
|
||
|
"67":"y",
|
||
|
"68":"y",
|
||
|
"69":"y",
|
||
|
"70":"y",
|
||
|
"71":"y",
|
||
|
"72":"y",
|
||
|
"73":"y",
|
||
|
"74":"y",
|
||
|
"75":"y",
|
||
|
"76":"y",
|
||
|
"77":"y",
|
||
|
"78":"y",
|
||
|
"79":"y",
|
||
|
"80":"y #3",
|
||
|
"81":"y #3",
|
||
|
"83":"y #3",
|
||
|
"84":"y #3",
|
||
|
"85":"y #3",
|
||
|
"86":"y #3",
|
||
|
"87":"y #3",
|
||
|
"88":"y #3"
|
||
|
},
|
||
|
"safari":{
|
||
|
"3.1":"n",
|
||
|
"3.2":"n",
|
||
|
"4":"n",
|
||
|
"5":"n",
|
||
|
"5.1":"n",
|
||
|
"6":"n",
|
||
|
"6.1":"n",
|
||
|
"7":"n",
|
||
|
"7.1":"n",
|
||
|
"8":"n",
|
||
|
"9":"n",
|
||
|
"9.1":"n",
|
||
|
"10":"n",
|
||
|
"10.1":"n",
|
||
|
"11":"n",
|
||
|
"11.1":"n",
|
||
|
"12":"a #4 #5",
|
||
|
"12.1":"a #4 #5",
|
||
|
"13":"a #4 #5",
|
||
|
"13.1":"a #5",
|
||
|
"14":"a #5",
|
||
|
"TP":"a #5"
|
||
|
},
|
||
|
"opera":{
|
||
|
"9":"n",
|
||
|
"9.5-9.6":"n",
|
||
|
"10.0-10.1":"n",
|
||
|
"10.5":"n",
|
||
|
"10.6":"n",
|
||
|
"11":"n",
|
||
|
"11.1":"n",
|
||
|
"11.5":"n",
|
||
|
"11.6":"n",
|
||
|
"12":"n",
|
||
|
"12.1":"n",
|
||
|
"15":"n",
|
||
|
"16":"n",
|
||
|
"17":"n",
|
||
|
"18":"n",
|
||
|
"19":"n",
|
||
|
"20":"n",
|
||
|
"21":"n",
|
||
|
"22":"n",
|
||
|
"23":"n",
|
||
|
"24":"n",
|
||
|
"25":"n",
|
||
|
"26":"n",
|
||
|
"27":"n",
|
||
|
"28":"n",
|
||
|
"29":"n",
|
||
|
"30":"n",
|
||
|
"31":"n",
|
||
|
"32":"n",
|
||
|
"33":"n",
|
||
|
"34":"n",
|
||
|
"35":"n",
|
||
|
"36":"n",
|
||
|
"37":"n",
|
||
|
"38":"n",
|
||
|
"39":"y",
|
||
|
"40":"y",
|
||
|
"41":"y",
|
||
|
"42":"y",
|
||
|
"43":"y",
|
||
|
"44":"y",
|
||
|
"45":"y",
|
||
|
"46":"y",
|
||
|
"47":"y",
|
||
|
"48":"y",
|
||
|
"49":"y",
|
||
|
"50":"y",
|
||
|
"51":"y",
|
||
|
"52":"y",
|
||
|
"53":"y",
|
||
|
"54":"y",
|
||
|
"55":"y",
|
||
|
"56":"y",
|
||
|
"57":"y",
|
||
|
"58":"y",
|
||
|
"60":"y",
|
||
|
"62":"y",
|
||
|
"63":"y",
|
||
|
"64":"y",
|
||
|
"65":"y",
|
||
|
"66":"y",
|
||
|
"67":"y",
|
||
|
"68":"y",
|
||
|
"69":"y",
|
||
|
"70":"y"
|
||
|
},
|
||
|
"ios_saf":{
|
||
|
"3.2":"n",
|
||
|
"4.0-4.1":"n",
|
||
|
"4.2-4.3":"n",
|
||
|
"5.0-5.1":"n",
|
||
|
"6.0-6.1":"n",
|
||
|
"7.0-7.1":"n",
|
||
|
"8":"n",
|
||
|
"8.1-8.4":"n",
|
||
|
"9.0-9.2":"n",
|
||
|
"9.3":"n",
|
||
|
"10.0-10.2":"n",
|
||
|
"10.3":"n",
|
||
|
"11.0-11.2":"n",
|
||
|
"11.3-11.4":"n",
|
||
|
"12.0-12.1":"a #5",
|
||
|
"12.2-12.4":"a #5",
|
||
|
"13.0-13.1":"y",
|
||
|
"13.2":"y",
|
||
|
"13.3":"y",
|
||
|
"13.4-13.5":"y",
|
||
|
"14.0":"y"
|
||
|
},
|
||
|
"op_mini":{
|
||
|
"all":"n"
|
||
|
},
|
||
|
"android":{
|
||
|
"2.1":"n",
|
||
|
"2.2":"n",
|
||
|
"2.3":"n",
|
||
|
"3":"n",
|
||
|
"4":"n",
|
||
|
"4.1":"n",
|
||
|
"4.2-4.3":"n",
|
||
|
"4.4":"n",
|
||
|
"4.4.3-4.4.4":"n",
|
||
|
"81":"y"
|
||
|
},
|
||
|
"bb":{
|
||
|
"7":"n",
|
||
|
"10":"n"
|
||
|
},
|
||
|
"op_mob":{
|
||
|
"10":"n",
|
||
|
"11":"n",
|
||
|
"11.1":"n",
|
||
|
"11.5":"n",
|
||
|
"12":"n",
|
||
|
"12.1":"n",
|
||
|
"46":"y"
|
||
|
},
|
||
|
"and_chr":{
|
||
|
"84":"y #3"
|
||
|
},
|
||
|
"and_ff":{
|
||
|
"79":"y"
|
||
|
},
|
||
|
"ie_mob":{
|
||
|
"10":"n",
|
||
|
"11":"n"
|
||
|
},
|
||
|
"and_uc":{
|
||
|
"12.12":"n"
|
||
|
},
|
||
|
"samsung":{
|
||
|
"4":"n",
|
||
|
"5.0-5.4":"y",
|
||
|
"6.2-6.4":"y",
|
||
|
"7.2-7.4":"y",
|
||
|
"8.2":"y",
|
||
|
"9.2":"y",
|
||
|
"10.1":"y",
|
||
|
"11.1-11.2":"y",
|
||
|
"12.0":"y"
|
||
|
},
|
||
|
"and_qq":{
|
||
|
"10.4":"u"
|
||
|
},
|
||
|
"baidu":{
|
||
|
"7.12":"y"
|
||
|
},
|
||
|
"kaios":{
|
||
|
"2.5":"n"
|
||
|
}
|
||
|
},
|
||
|
"notes":"This feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients.",
|
||
|
"notes_by_num":{
|
||
|
"1":"Not shipped with the inital release but later with the 2018 June security update (Patch Tuesday) to Windows 10 RS3 (2017 Fall Creators Update) and newer. [More info](https://github.com/MicrosoftEdge/Status/issues/616).",
|
||
|
"2":"Partial support because only supported in IE 11 on Windows 10 RS3 (2017 Fall Creators Update) and newer, but not in IE 11 on other Windows versions (Windows 7, ...)",
|
||
|
"3":"Implemented [Incrementally Better Cookies](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00) by default: Cookies without `SameSite` are treated as `Lax`, `SameSite=None` cookies without `Secure` are rejected.",
|
||
|
"4":"Partial due to the lack of support in macOS before 10.14 Mojave.",
|
||
|
"5":"Partial due to [the bug](https://bugs.webkit.org/show_bug.cgi?id=198181) that treats `SameSite=None` and invalid values as `Strict` in macOS before 10.15 Catalina and in iOS before 13."
|
||
|
},
|
||
|
"usage_perc_y":83.82,
|
||
|
"usage_perc_a":8.37,
|
||
|
"ucprefix":false,
|
||
|
"parent":"",
|
||
|
"keywords":"security,cookies,cookie,csrf",
|
||
|
"ie_id":"",
|
||
|
"chrome_id":"4672634709082112,5088147346030592,5633521622188032",
|
||
|
"firefox_id":"",
|
||
|
"webkit_id":"",
|
||
|
"shown":true
|
||
|
}
|