What is difference between SameSite=“Lax” and SameSite=“Strict”?

主宰稳场 提交于 2020-06-08 04:06:08

问题


Can anyone tell me what is the difference between SameSite="Lax" and SameSite="Strict" by a nice example as I am a bit confused between these two?


回答1:


Lax allows the cookie to be sent on some cross-site requests, whereas Strict never allows the cookie to be sent on a cross-site request.

The situations in which Lax cookies can be sent cross-site must satisfy both of the following:

  1. The request must be a top-level navigation. You can think of this as equivalent to when the URL shown in the URL bar changes, e.g. a user clicking on a link to go to another site.
  2. The request method must be safe (e.g. GET or HEAD, but not POST).

For example:

  1. Let's say a user is on site-a.com and clicks on a link to go to site-b.com. This is a cross-site request. This is a top-level navigation and is a GET request, so Lax cookies are sent to site-b.com. However, Strict cookies are not sent because it is, after all, a cross-site request.
  2. The user is on site-a.com and there is an iframe in which site-b.com is loaded. This is a cross-site request, but it's not a top-level navigation (the user is still on site-a.com, i.e. the URL bar doesn't change when the iframe is loaded). Therefore neither Lax nor Strict cookies are sent to site-b.com.
  3. The user is on site-a.com which POSTs a form to site-b.com. This is a cross-site request, but the method (POST) is unsafe. It doesn't meet the criteria for Lax cookies going cross-site, so neither Lax nor Strict cookies are sent to site-b.com



回答2:


Strict not allows the cookie to be sent on a cross-site request or iframe. LAX allows GET only None allows all the requests. but secure is required ;



来源:https://stackoverflow.com/questions/59990864/what-is-difference-between-samesite-lax-and-samesite-strict

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!