Previewing support for same-site cookies in Microsoft Edge<\/p>\n
Yesterday’s Windows Insider Preview build (build 17672<\/a>) introduces support for the SameSite cookies<\/a> standard in Microsoft Edge, ahead of a planned rollout in Microsoft Edge and Internet Explorer. Same-site cookies enable more protection for users against cross-site request forgery (CSRF) attacks.<\/p>\n Historically, sites such as example.com<\/em> that make \u201ccross-origin\u201d requests to other domains such as microsoft<\/em>.com<\/em> have generally caused the browser to send microsoft<\/em>.com<\/em>\u2019s cookies as part of the request. Normally, the user benefits by being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defense in depth against CSRF attacks<\/a>.<\/p>\n Sites can now set the More specifically, if the On the other hand, if the This feature is backwards compatible\u2015that is, browsers that don\u2019t support same-site cookies will safely ignore the additional attribute and will simply use the cookie as a regular cookie.<\/p>\n We continuously work to improve our support of standards towards a more interoperable web. Although same-site cookies is not yet a finalized standard at the Internet Engineering Task Force (IETF), we believe the feature is stable and compelling enough to warrant an early implementation as the standardization process progresses.<\/p>\n To broaden the security benefits of this feature, we plan to service Microsoft Edge and Internet Explorer 11 on the Windows 10 Creators Update and newer to support same-site cookies as well, allowing sites to rely on same-site cookies as a defense against CSRF and other related cross-site timing and cross-site information-leakage attacks.<\/p>\n \u2014 Ali Alabbas, Program Manager, Microsoft Edge Source: Previewing support for same-site cookies in Microsoft Edge<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Previewing support for same-site cookies in Microsoft Edge Yesterday’s Windows Insider Preview build (build 17672) introduces support for the SameSite cookies standard in Microsoft Edge, ahead of a planned rollout in Microsoft Edge and Internet Explorer. Same-site cookies enable more protection for users against cross-site request forgery (CSRF) attacks. Historically, sites such as example.com that make \u201ccross-origin\u201d requests to other domains such as microsoft.com have generally caused the browser to send microsoft.com\u2019s cookies as part of the request. Normally, the user benefits by being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defense in depth against CSRF attacks. Sites can now set the SameSite attribute on cookies of their choosing via the Set-Cookie header [ more… ]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[169],"tags":[201],"class_list":["post-24356","post","type-post","status-publish","format-standard","hentry","category-news","tag-windows"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/24356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/comments?post=24356"}],"version-history":[{"count":1,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/24356\/revisions"}],"predecessor-version":[{"id":24357,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/24356\/revisions\/24357"}],"wp:attachment":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/media?parent=24356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/categories?post=24356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/tags?post=24356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}SameSite<\/code> attribute on cookies of their choosing via the Set-Cookie<\/code> header or by using the document.cookie<\/code> JavaScript property, thus preventing the default browser behavior of sending cookies in cross-site requests either in all cross-site requests (via the “strict<\/code>” value) or only in some less sensitive requests (via the “lax<\/code>” value).<\/p>\nstrict<\/code> attribute is specified for when a same-site cookie is set, it will not be sent for any cross-site request, which includes clicking on links from external sites. Since the logged-in state is stored as a SameSite=Strict<\/code> cookie, when a user clicks such a link it will initially appear as if the user is not logged in.<\/p>\nlax<\/code> attribute is specified for when a same-site cookie is set, it will not be sent for cross-origin sub-resource requests such as images. However, the SameSite=Lax<\/code> cookies will be sent when navigating from an external site, such as when a link is clicked.<\/p>\n
\n\u2014 Gabriel Montenegro, Program Manager, Windows Networking
\n\u2014 Brent Mills, Program Manager, Internet Explorer<\/p>\n