SameSite Wiki
Stable
Privacy Leaks
This article describes the privacy threats associated with the incorrect use of SameSite cookies. For other threats enabled by Cross-Site Leaks (XS-Leaks), please refer to our XS-Leaks article.
Pervasive Monitoring
Third-party cookies are widely used to track users online, and they often contain sensitive data. If websites do not set the Secure
attribute for these cookies, a viable threat is pervasive monitoring at network level. To mitigate this issue, Chromium-based browsers reject SameSite=None
cookies without the Secure
attribute[1, 2], but other browsers (e.g., Firefox and Safari) do not.
Example. Assume a website W1 that set a privacy-sensitive cookie with SameSite=None
and another website W2 that performs cross-site requests to W1. Because of the policy set by W1, browsers will include cookies in all requests from W2 to W1. This is the typical setting of third-party cookies widely used for tracking users. Pervasive network monitoring is a threat to these scenarios because if cookies are not securely transported (i.e., over TLS), they can reveal sensitive information about user identity.
For these reasons, browsers like Chrome and Opera reject cookies that do not set the Secure
flag together with SameSite=None
policy[2]. However, other browsers such as Firefox and Safari do not reject these cookies[3], exposing users of these websites to pervasive monitoring attacks.
References:
-
MDN Web Docs: SameSite cookies. Link
-
Chrome Feature: Reject insecure SameSite=None cookies. Link
-
S. Khodayari, and G. Pellegrino, The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. In IEEE S&P, 2022. Link