SameSite Cookie Status: <iframe>
Run another test from the External Site.
Since the page request within the <iframe>
is a cross-site request,
your browser will have checked the SameSite cookie attribute and only sent cookies that are allowed for requests
within an <iframe>
. All other cookies will have been blocked.
SameSite=Strict
) should never sent on cross-site requests.SameSite=Lax
) should only be sent on cross-site GET
requests.SameSite=None; Secure
) should always be sent on cross-site requests.SameSite=None
) is invalid and should never rejected by the browser and never sent. (Note, your browser may not block these cookies yet.)SameSite
attribute) will always be sent on cross-site reqursts until your browser rolls out SameSite=Lax
by default.
An experiment by Stephen Rees-Carter for "CSRF is dead (or is it?)" and "SameSite Cookies Deep Dive".
Source Code on GitHub, PRs welcome.