Sensitive cookie without SameSite restrictions¶
ID: js/samesite-none-cookie Kind: problem Security severity: 5.0 Severity: warning Precision: medium Tags: - security - external/cwe/cwe-1275 Query suites: - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
Authentication cookies where the SameSite attribute is set to “None” can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.
With SameSite set to “None”, a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.
Recommendation¶
Set the SameSite attribute to Strict on all sensitive cookies.
Example¶
The following example stores an authentication token in a cookie where the SameSite attribute is set to None.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});To prevent the cookie from being included in cross-site requests, set the SameSite attribute to Strict.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});References¶
MDN Web Docs: SameSite cookies.
OWASP: SameSite.
Common Weakness Enumeration: CWE-1275.
