It is not difficult to instruct the user’s browser to send the request. It is more difficult to instruct the browser to send the request with the session cookies and gain access to the response. To understand the mechanics of cookies in this context, we must discuss the optional SameSite attribute of the Set-Cookie HTTP header.
Thus in CORS exploit:
- Instructing a user’s browser to send a request to another origin is simple, but no JavaScript Engine will render it.
- Sending the request with session cookies is difficult, and requires ACAO and ACAC to be set.
- Gaining access to the response is difficult.
The SameSite attribute can be found anywhere in the Set-Cookie header. The attributes are separated by semicolons. This attribute defines whether or not cookies are restricted to a same-site context. There are three possible values for this attribute: Strict, None, and Lax.
Strict
If SameSite is set to Strict on a cookie, the browser will only send those cookies when the user is on the corresponding website. For example, let’s imagine a site with the domain funnycatpictures.com, which displays unique cat pictures to each user. The site uses cookies to track each user’s cats. If their cookies are set with the SameSite=Strict attribute, those cookies would be sent when the user visits funnycatpictures.com but would not be sent if a cat picture is embedded in a different site. In addition, Strict also prevents the cookies from being sent on navigation actions (i.e. clicking a link to funnycatpictures.com) or within loaded iframes.
None
When SameSite is set to None, cookies will be sent in all contexts: when navigating, when loading images, and when loading iframes. The None value requires the Secure attribute,1 which ensures the cookie is only sent via HTTPS.
Lax
Finally, the Lax value instructs that the cookies will be sent on some requests across different sites. For a cookie to be included in a request, it must meet both of the following requirements:
- It must use a method that does not facilitate a change on the server (GET, HEAD, OPTIONS).
- It must originate from user-initiated navigation (also known as top-level navigation), for example, clicking a link will include the cookie, but requests made by images or scripts will not.
SameSite is a relatively new browser feature and is not widely used. If a site does not set the SameSite attribute, the default implementation varies based on the type and version of the browser.
As of Chrome Version 80 and Edge Version 86, Lax is the default setting for cookies that do not have the SameSite attribute set. At the time of this writing, Firefox and Safari have set the default to None. As with most other browser security features, Internet Explorer does not support SameSite at all.
When the default value in a browser is None, the user visiting that page might be vulnerable to CSRF. As we discussed earlier, when SameSite is set to None the browser will send the cookie in all contexts (image loads, navigation, etc.). In this situation, one site can send a request to another domain and the browser will include cookies, making CSRF possible if the victim web application does not implement any additional safeguards.
Understanding the relationship between SOP, CORS, and the SameSite attribute is critical in understanding how and when an application might be vulnerable to CSRF.