Strict SameSite web cookie policies probably don't do much for us

February 7, 2021

I recently read The great SameSite confusion (via). To summarize badly, this article is about how it's easy to misunderstand exactly what the SameSite cookie attribute does due to a distinction that web security draws between the ideas of 'origin' and 'site'. The simple version of the difference is that 'origin' means the exact website (the same scheme, host, and port), while 'site' simply means the domain name (which is determined based on the public suffix list). For a lot of organizations this distinction may be relatively small. However, here at the University of Toronto, the distinction is very big. As a consequence, the effects of a strong SameSite policy (whether set explicitly or through browser defaults) is relatively modest for our websites.

The University of Toronto mostly uses the domain 'utoronto.ca'. However, we have a great many organizational units (faculties, departments, groups, and so on), and these mostly have websites with names that are either direct sub-names of utoronto.ca (such as 'utcc.utoronto.ca') or names in subdomains, such as 'www.utsc.utoronto.ca'. All of these are very different websites, run by very different groups with very different security policies and so on, but they're all the same 'site' as far as SameSite is concerned. As a result, even the strictest SameSite policy won't prevent cookies from leaking from one of these websites to another.

Fortunately, all is not lost for our (potential) desire to keep from leaking cookies between our different websites. Cookies have always had a basic limitation on what hosts they're sent to, as covered in the relevant MDN section. If someone with a website here sends a cookie without a Domain attribute, it won't leak outside of them and their sub-domains. To leak a cookie to all University of Toronto websites, you would have to explicitly set 'Domain=utoronto.ca'. Well, you or the framework you're using would have to do that, since people often don't manually set cookies. Hopefully there aren't many frameworks that default their cookie domains to the 'site' (as the web defines it).

(One corollary of this is that there is a lot of scope for 'same-site' requests in general on University of Toronto websites, for both good and, unfortunately, evil. If an attacker wants to find a place to put some content that will be same-site for an important UofT website, they're probably not going to have much trouble. There are even various subdomain names that look very similar to each other.)

Written on 07 February 2021.
« Talkd and 'mesg n': a story from the old Unix days
Normal situations should not be warnings (especially not repeated ones) »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Feb 7 23:45:27 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.