This content originally appeared on web.dev and was authored by Steven Bingler
This article is part of a series on the SameSite
cookie attribute changes:
Schemeful Same-Site modifies the definition of a (web)site from just the registrable domain to the scheme + registrable domain. You can find more details and examples in Understanding "same-site" and "same-origin".
Key Term: This means that the insecure HTTP version of a site, for example, http://website.example, and the secure HTTPS version of that site, https://website.example, are now considered cross-site to each other.
The good news is: if your website is already fully upgraded to HTTPS then you don't need to worry about anything. Nothing will change for you.
If you haven't fully upgraded your website yet then this should be the priority.
However, if there are cases where your site visitors will go between HTTP and
HTTPS then some of those common scenarios and the associated SameSite
cookie
behavior are outlined below.
Warning:
The long-term plan is to phase out support for third-party cookies
entirely,
replacing them with privacy preserving alternatives. Setting SameSite=None; Secure
on a cookie to allow it to be sent across schemes should only be
considered a temporary solution in the migration towards full HTTPS.
You can enable these changes for testing in both Chrome and Firefox.
- From Chrome 86, enable
chrome://flags/#schemeful-same-site
. Track progress on the Chrome Status page. - From Firefox 79, set
network.cookie.sameSite.schemeful
totrue
viaabout:config
. Track progress via the Bugzilla issue.
One of the main reasons for the change to SameSite=Lax
as the default for
cookies was to protect against Cross-Site Request Forgery
(CSRF). However,
insecure HTTP traffic still presents an opportunity for network attackers to
tamper with cookies that will then be used on the secure HTTPS version of the
site. Creating this additional cross-site boundary between schemes provides
further defense against these attacks.
Common cross-scheme scenarios
Key Term: In the examples below where the URLs all have the same registrable domain, e.g. site.example, but different schemes, for example, http://site.example vs. https://site.example, they are referred to as cross-scheme to each other.
Navigation
Navigating between cross-scheme versions of a website (for example, linking from
http://site.example to https://site.example) would previously allow
SameSite=Strict
cookies to be sent. This is now treated as a cross-site
navigation which means SameSite=Strict
cookies will be blocked.
HTTP → HTTPS | HTTPS → HTTP | |
SameSite=Strict
|
⛔ Blocked | ⛔ Blocked |
SameSite=Lax
|
✓ Allowed | ✓ Allowed |
SameSite=None;Secure
|
✓ Allowed | ⛔ Blocked |
Loading subresources
Warning: All major browsers block active mixed content such as scripts or iframes. Additionally, browsers including Chrome and Firefox are working toward upgrading or blocking passive mixed content.
Any changes you make here should only be considered a temporary fix while you work to upgrade to full HTTPS.
Examples of subresources include images, iframes, and network requests made with XHR or Fetch.
Loading a cross-scheme subresource on a page would previously allow
SameSite=Strict
or SameSite=Lax
cookies to be sent or set. Now this is
treated the same way as any other third-party or cross-site subresource which
means that any SameSite=Strict
or SameSite=Lax
cookies will be blocked.
Additionally, even if the browser does allow resources from insecure schemes to
be loaded on a secure page, all cookies will be blocked on these requests as
third-party or cross-site cookies require Secure
.
HTTP → HTTPS | HTTPS → HTTP | |
SameSite=Strict
|
⛔ Blocked | ⛔ Blocked |
SameSite=Lax
|
⛔ Blocked | ⛔ Blocked |
SameSite=None;Secure
|
✓ Allowed | ⛔ Blocked |
POSTing a form
Posting between cross-scheme versions of a website would previously allow
cookies set with SameSite=Lax
or SameSite=Strict
to be sent. Now this is
treated as a cross-site POST—only SameSite=None
cookies can be sent. You may
encounter this scenario on sites that present the insecure version by default,
but upgrade users to the secure version on submission of the sign-in or
check-out form.
As with subresources, if the request is going from a secure, e.g. HTTPS, to an
insecure, e.g. HTTP, context then all cookies will be blocked on these requests
as third-party or cross-site cookies require Secure
.
Warning: The best solution here is to ensure both the form page and destination are on a secure connection such as HTTPS. This is especially important if the user is entering any sensitive information into the form.
HTTP → HTTPS | HTTPS → HTTP | |
SameSite=Strict
|
⛔ Blocked | ⛔ Blocked |
SameSite=Lax
|
⛔ Blocked | ⛔ Blocked |
SameSite=None;Secure
|
✓ Allowed | ⛔ Blocked |
How can I test my site?
Developer tooling and messaging are available in Chrome and Firefox.
From Chrome 86, the Issue tab in DevTools will include Schemeful Same-Site issues. You may see the following issues highlighted for your site.
Navigation issues:
- "Migrate entirely to HTTPS to continue having cookies sent on same-site requests"—A warning that the cookie will be blocked in a future version of Chrome.
- "Migrate entirely to HTTPS to have cookies sent on same-site requests"—A warning that the cookie has been blocked.
Subresource loading issues:
- "Migrate entirely to HTTPS to continue having cookies sent to same-site subresources" or "Migrate entirely to HTTPS to continue allowing cookies to be set by same-site subresources"—Warnings that the cookie will be blocked in a future version of Chrome.
- "Migrate entirely to HTTPS to have cookies sent to same-site subresources" or "Migrate entirely to HTTPS to allow cookies to be set by same-site subresources"—Warnings that the cookie has been blocked. The latter warning can also appear when POSTing a form.
More detail is available in Testing and Debugging Tips for Schemeful Same-Site.
From Firefox 79, with network.cookie.sameSite.schemeful
set to true
via
about:config
the console will display message for Schemeful Same-Site issues.
You may see the following on your site:
- "Cookie
cookie_name
will be soon treated as cross-site cookie againsthttp://site.example/
because the scheme does not match." - "Cookie
cookie_name
has been treated as cross-site againsthttp://site.example/
because the scheme does not match."
FAQ
My site is already fully available on HTTPS, why am I seeing issues in my browser's DevTools?
It's possible that some of your links and subresources still point to insecure URLs.
One way to fix this issue is to use HTTP
Strict-Transport-Security
(HSTS) and the includeSubDomain
directive. With HSTS + includeSubDomain
even
if one of your pages accidentally includes an insecure link the browser will
automatically use the secure version instead.
What if I can't upgrade to HTTPS?
While we strongly recommend that you upgrade your site entirely to HTTPS to protect your users, if you're unable to do so yourself we suggest speaking with your hosting provider to see if they can offer that option. If you self-host, then Let's Encrypt provides a number of tools to install and configure a certificate. You can also investigate moving your site behind a CDN or other proxy that can provide the HTTPS connection.
If that's still not possible then try relaxing the SameSite
protection on
affected cookies.
- In cases where only
SameSite=Strict
cookies are being blocked you can lower the protection toLax
. - In cases where both
Strict
andLax
cookies are being blocked and your cookies are being sent to (or set from) a secure URL you can lower the protections toNone
.- This workaround will fail if the URL you're sending cookies to (or
setting them from) is insecure. This is because
SameSite=None
requires theSecure
attribute on cookies which means those cookies may not be sent or set over an insecure connection. In this case you will be unable to access that cookie until your site is upgraded to HTTPS. - Remember, this is only temporary as eventually third-party cookies will be phased out entirely.
- This workaround will fail if the URL you're sending cookies to (or
setting them from) is insecure. This is because
How does this affect my cookies if I haven't specified a SameSite
attribute?
Cookies without a SameSite
attribute are treated as if they specified
SameSite=Lax
and the same cross-scheme behavior applies to these cookies as
well. Note that the temporary exception to unsafe methods still applies, see
the Lax + POST mitigation in the Chromium SameSite
FAQ for more information.
How are WebSockets affected?
WebSocket connections will still be considered same-site if they're the same secureness as the page.
Same-site:
wss://
connection fromhttps://
ws://
connection fromhttp://
Cross-site:
wss://
connection fromhttp://
ws://
connection fromhttps://
Photo by Julissa Capdevilla on Unsplash
This content originally appeared on web.dev and was authored by Steven Bingler
Steven Bingler | Sciencx (2020-11-20T00:00:00+00:00) Schemeful Same-Site. Retrieved from https://www.scien.cx/2020/11/20/schemeful-same-site/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.