Microsoft has currently introduced Windows Insider Preview build 17672 support for SameSite cookies standard in Microsoft Edge, ahead of the planned rollout in Microsoft Edge and Internet Explorer. Microsoft informs that the same –site cookies would go on to enable more protection for users against cross-site request forgery (CSRF) attacks.
“Historically, sites such as example.com that make “cross-origin” requests to other domains such as microsoft.com have generally caused the browser to send microsoft.com’s cookies as part of the request. Normally, the user benefits from being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defence in depth against CSRF attacks.”
The strict attribute is specified for when the same-site cookie is set, and it will not be sent for any cross-site request, which will go on to include clicking on links from external sites. Since the logged-in state is stored as a SameSite=Strict cookie, when a user clicks such a link it will initially appear as if the user is not logged in.
If the lax attribute is specified for when the same-site cookies are set, then it will not be sent for the cross-origin sub-resource request, such as images. But, the SameSite=Lax cookies will still be sent while navigating from the external site, for example, whenever a link is clicked.
This feature is completely backwards compatible, i.e, browsers which will not support same-site cookies will ignore the additional attributes and will use the cookie as a regular cookie.
The company states,
“We continuously work to improve our support of standards towards a more interoperable web. Although same-site cookies is not yet a finalized standard at the Internet Engineering Task Force (IETF), we believe the feature is stable and compelling enough to warrant an early implementation as the standardization process progresses.”