TIL the difference between same site and same origin
Same site applies if two URLs share 2 things:
- The Top Level Domain (
.com,.io,.app, ...) plus one level of the domain name (example.com,tamagui.dev,datasette.io, ...) - The same schema (
httporhttps)
Same origin will match the full URL, including the port.
So, if you want to share a cookie across different subdomains in your application, you should be able to use SameSite=Strict
Extra:
On Portswigger Lab: SameSite Strict bypass via client-side redirect they describe a way to bypass this protection if you are using client side (javascript side) redirects, and your server exposes a vulnerable endpoint.
Their example uses a change email endpoint that accepts a get request.
Their example uses a change email endpoint that accepts a get request.
Top comments (0)