AccueilGlossaire › SameSite Cookie Attribute

SameSite Cookie Attribute

Sécurité

Attribut cookie contrôlant son envoi en contexte cross-site, prévention CSRF.

SameSite est un attribut cookie introduit par Google (2016) et standardisé qui contrôle si le cookie est envoyé lors de requêtes cross-site (requêtes initiées depuis un autre site). Devenu Lax par défaut dans Chrome 80 (février 2020), changement majeur impactant CSRF defense industry-wide.

Trois valeurs :

(1) **Strict** — cookie sent seulement si request origin = cookie domain. Block ALL cross-site usage : clicking link depuis Google search vers votresite.com NE pas envoyer cookie (user appears logged out). Maximum security mais break UX.
Use case : admin panels, banking sensitive operations.

(2) **Lax** — DEFAULT depuis Chrome 80 si attribute omis. Cookie sent on top-level navigation GET (clicking links works, user stays logged in) MAIS pas sur subresource loads (img, iframe, AJAX) ou cross-site POST.
Balance security/UX correct pour majority cases.

(3) **None** — cookie sent cross-site comme avant. REQUIRES Secure flag also (chrome enforce, sinon cookie ignored). Used for legitimate cross-site needs : CDN auth, embedded widgets, SSO redirects, ad tracking.

Migration impacts (2020+) :
(1) **OAuth flows** — required updates pour SameSite=Lax compatibility (popup flow OK, but POST callback complex).
(2) **iframe-based widgets** — chat widgets, embedded videos with auth, payment iframes — many broke, required SameSite=None+Secure update.
(3) **Cross-domain cookies** — sites needing cross-site state must explicitly opt-in None.
(4) **CSRF protection** — Lax provides significant baseline protection without app changes. Complete bypass attack landscape changed.

Subtle issues :
(1) **Two-minute exemption** Chrome — newly-set Lax cookies sent on cross-site POST within 2min (allow OAuth POST callbacks). Mitigation against immediate breakage.
(2) **Schemeful Same-Site** Chrome 89 — HTTP and HTTPS treated as different sites. Forces HTTPS migration.
(3) **First-Party Sets** Chrome — group multiple domains as same "first party" for cookie purposes (e.g. google.com + youtube.com).

Best practices :
(1) **Set SameSite explicitly** — Lax for sessions, Strict for sensitive, None+Secure for legitimate cross-site.
(2) **Test thoroughly** — third-party integrations break silently.
(3) **Monitor Sentry** for cookie-related errors post-deployment.
(4) **Combine with CSRF tokens** for defense in depth (Lax not 100% prevention).

Voir CSRF entry pour context complet. Compétences Security+, CISSP, OSCP.

Certifications qui couvrent ce concept
Security+ CISSP OSCP
Termes liés
Cookie Security (Secure, HttpOnly flags) CSRF (Cross-Site Request Forgery) CSRF Token (Synchronizer Token Pattern) CORS (Cross-Origin Resource Sharing)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire