How is the lack of the "SameSite" cookie flag a risk?

Question

Nowadays cookies can have HTTPOnly, Secure and SameSite flags. The purposes of HTTPOnly and Secure flags are pretty clear. But what does SameSite scripting prevent exactly and how?

Additionally, how would a scenario of successful "attacking" or "misusing" look like when the SameSite flag is not used?

Answer 1

The goals of the SameSite flag are:

• prevent cross-site timing attacks (see eg here)
• prevent cross-site script inclusion (see here)
• prevent CSRF: SameSite cookies are only sent if the site the request originated from is in the same site as the target site (in strict mode for GET and POST, in lax mode only for POST requests).
• limited privacy protection

Answer 2

The actual answer should be, as always: it depends on your usage scenario.

The Strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project. A bank website however most likely doesn't want to allow any transactional pages to be linked from external sites so the Strict flag would be most appropriate here.

The default Lax value provides a reasonable balance between security and usability for websites that want to maintain user's logged-in session after the user arrives from an external link. In the above GitHub scenario, the session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods (e.g. POST).