TIL the difference between same site
and same origin
Same site applies if two URLs share 2 things:
- The Top Level Domain (
.com
,.io
,.app
, ...) plus one level of the domain name (example.com
,tamagui.dev
,datasette.io
, ...) - The same schema (
http
orhttps
)
Same origin will match the full URL, including the port.
So, if you want to share a cookie across different subdomains in your application, you should be able to use SameSite=Strict
Extra:
On Portswigger Lab: SameSite Strict bypass via client-side redirect they describe a way to bypass this protection if you are using client side (javascript side) redirects, and your server exposes a vulnerable endpoint.
Their example uses a change email endpoint that accepts a get request.
Their example uses a change email endpoint that accepts a get request.
Top comments (0)