https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
Firefox rolled out support for same site cookies a couple of months ago, while I believe Chrome has had them for a couple of years. But what are same site cookies?
https://www.netsparker.com/blog/web...attribute-prevent-cross-site-request-forgery/
Same site cookies are a new way to help prevent CSRF, a nasty security exploit where people can initiate a form submissions from another site and it'll use your cookies to carry out whatever action they want you to.
Luckily, many software and frameworks have already locked down their systems making it hard to carry it out, although a few years ago, there was an attack called BREACH which threatened to compromise some of those defences with some little tricks to figure out which keys were being passed back and forth between the browser and the server.
Plus, the mitigation involves sending keys back and forth which adds room for mistake on some occasions, but not all. It's nowhere near as dangerous or prevalent as SQL Injections.
Same site hardens things further by making it so that the same site cookies will only be sent to the server when you submit a form, etc. *from* the same site as the form is being submitted to, so that there isn't any room for the baddies to sneak things in.
https://caniuse.com/#feat=same-site-cookie-attribute
Unfortunately, quite a few browsers like Safari don't support it yet, but there are a few who do.
I have already set them up in Gosora, and I believe that MyBB is adding support for them in the next 1.8.x
Edit: P.S. Forum Promotion didn't serve a same site cookie when I logged in, so XenForo probably doesn't have them yet.
Firefox rolled out support for same site cookies a couple of months ago, while I believe Chrome has had them for a couple of years. But what are same site cookies?
https://www.netsparker.com/blog/web...attribute-prevent-cross-site-request-forgery/
Same site cookies are a new way to help prevent CSRF, a nasty security exploit where people can initiate a form submissions from another site and it'll use your cookies to carry out whatever action they want you to.
Luckily, many software and frameworks have already locked down their systems making it hard to carry it out, although a few years ago, there was an attack called BREACH which threatened to compromise some of those defences with some little tricks to figure out which keys were being passed back and forth between the browser and the server.
Plus, the mitigation involves sending keys back and forth which adds room for mistake on some occasions, but not all. It's nowhere near as dangerous or prevalent as SQL Injections.
Same site hardens things further by making it so that the same site cookies will only be sent to the server when you submit a form, etc. *from* the same site as the form is being submitted to, so that there isn't any room for the baddies to sneak things in.
https://caniuse.com/#feat=same-site-cookie-attribute
Unfortunately, quite a few browsers like Safari don't support it yet, but there are a few who do.
I have already set them up in Gosora, and I believe that MyBB is adding support for them in the next 1.8.x
Edit: P.S. Forum Promotion didn't serve a same site cookie when I logged in, so XenForo probably doesn't have them yet.
Last edited:
