DEV Community

Cover image for tiny TIL - same site vs same origin for cookies
Alejandro Cuenca E.
Alejandro Cuenca E.

Posted on

tiny TIL - same site vs same origin for cookies

#cookies #todayilearned

TIL the difference between same site and same origin

Same site applies if two URLs share 2 things:

  • The Top Level Domain (.com, .io, .app, ...) plus one level of the domain name (example.com, tamagui.dev, datasette.io, ...)
  • The same schema (http or https)

Same origin will match the full URL, including the port.

So, if you want to share a cookie across different subdomains in your application, you should be able to use SameSite=Strict

Extra:
On Portswigger Lab: SameSite Strict bypass via client-side redirect they describe a way to bypass this protection if you are using client side (javascript side) redirects, and your server exposes a vulnerable endpoint.

Their example uses a change email endpoint that accepts a get request.

Their example uses a change email endpoint that accepts a get request.

Top comments (0)

Read next

turalsuleymani profile image

C# Delegates In Practice — Implementing Observer Pattern With Delegates

Tural Suleymani -

djhuertasg profile image

Integridad y confidencialidad: Porque no entregar el hash de un número de tarjeta

Dilver Huertas Guerrero -

jennifer12345 profile image

Navigating the Link Building Landscape: Tips from Agencies

Jennifer Allen -

randomdude79 profile image

Hello!

Sasha B -