Skip to main content Link Search Menu Expand Document (external link)
SameSite Wiki

SameSite Wiki

Stable

Privacy Leaks

This article describes the privacy threats associated with the incorrect use of SameSite cookies. For other threats enabled by Cross-Site Leaks (XS-Leaks), please refer to our XS-Leaks article.

Pervasive Monitoring

Third-party cookies are widely used to track users online, and they often contain sensitive data. If websites do not set the Secure attribute for these cookies, a viable threat is pervasive monitoring at network level. To mitigate this issue, Chromium-based browsers reject SameSite=None cookies without the Secure attribute[1, 2], but other browsers (e.g., Firefox and Safari) do not.

Example. Assume a website W1 that set a privacy-sensitive cookie with SameSite=None and another website W2 that performs cross-site requests to W1. Because of the policy set by W1, browsers will include cookies in all requests from W2 to W1. This is the typical setting of third-party cookies widely used for tracking users. Pervasive network monitoring is a threat to these scenarios because if cookies are not securely transported (i.e., over TLS), they can reveal sensitive information about user identity.

For these reasons, browsers like Chrome and Opera reject cookies that do not set the Secure flag together with SameSite=None policy[2]. However, other browsers such as Firefox and Safari do not reject these cookies[3], exposing users of these websites to pervasive monitoring attacks.

References:

  1. MDN Web Docs: SameSite cookies. Link

  2. Chrome Feature: Reject insecure SameSite=None cookies. Link

  3. S. Khodayari, and G. Pellegrino, The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. In IEEE S&P, 2022. Link