1

Site A will be having an <img> tag with src= attribute as an absolute URL pointing to site B.

Site B will return an image response, and in that response a cookie will be set (cookie of Site B's domain).

This is being done because safari browser blocks cookies set from iframe sites. By doing so the iframe site here (site b) will set cookie outside iframe and from there onwards can set cookie even inside iframe.

I'm concerned with any vulnerability that might arise out of this scenario (if any) as I am not really aware of such security issues. Can someone please point me to the right source if this is a potential vulnerability?

void
  • 113
  • 6
  • 1
    What is the purpose of the cookie? Is this a session cookie that authenticates the user? You seem to be using cross-site cookies, and [to make sure they work correctly in Chrome](https://web.dev/samesite-cookies-explained) you should mark them as SameSite=None. – Sjoerd Sep 10 '19 at 10:41
  • basically few browsers blocks iframe cookies. Site b will be in iframe so, this makes it possible to set cookies from iframe (site b). – void Sep 10 '19 at 10:52
  • 1
    @void If being in an iframe matters (or might do), you should probably edit that fact into the question. – TripeHound Sep 10 '19 at 12:29

1 Answers1

2

TL;DR: If the cookie you use can be used to authorize any action on site B, then that site becomes vulnerable to a CSRF attack.

As @Sjoerd has already pointed out in his comment, you need to set the SameSite attribute of the cookie to None, otherwise the cookie won't be sent to site B when the image is retrieved.

This could very well be a vulnerability, depending on the effect the cookie has on site B. The SameSite attribute was invented to prevent a Cross Site Request Forgery (CSRF) attack. By setting SameSite=None on the cookie, you are disabling that CSRF protection of site B.

mat
  • 1,243
  • 7
  • 14