Typical case: website A SameSite.a.com is embedded in website B test.b.com as iframe. When accessing iframe (station A), station B attempted to issue A setCookie request, but the cookie was not inserted. Taking the login information as an example, most systems will initiate a login request if the login information fails verification when users visit. The login request setCookie will be redirected to the system at the same time, and the page may jump and refresh repeatedly and enter an endless loop.

preface

CSRF attack cross-site Request Forgery

Typical CSRF attack flow:

  • Victims log on to the website and retain their login credentials (cookies).
  • The attacker lured the victim to visit b.com.
  • B.com sent a request to a.com: a.com/act=xx. Browsers carry cookies from A.com by default.
  • When a.com received the request, it verified it and confirmed that it was the victim’s credentials, mistaking it as a request sent by the victim himself.
  • A.com enforced act= XX on behalf of the victims.
  • When the attack is complete, the attacker impersonates the victim without the victim’s knowledge and allows a.com to perform its own defined operation.

cookie

Stateful protocol: the connection with the server must be established at all times. If the connection is disconnected, the call will be lost. After the connection is established again, you need to start from the beginning

HTTP is a stateless protocol. If multiple requests are sent to the server from the same client, the server does not know that the requests are from the same client. If the HTTP protocol is used to access a static file, that there is no problem, but if you want to provide better service for the masses of users, the server will need to know every specific requests from which the user, such as in you shop at taobao, you only need to log in once when you initiate a purchase request, the server is already know you log in, You will no longer be allowed to log in.

HTTP protocol takes up a small part of the browser’s storage to access the current user’s ‘state’. Each time an HTTP request is made, these states are carried in the request to let the server know ‘who you are’.

Risk: Major advertising and shopping websites can use third-party cookies to obtain user data and pry user privacy

Third party cookies

Visiting www.taobao.com will write some cookies to the.taobao.com field. But if you go to the console and you see that there are a lot of cookies in other fields, all of these cookies that are not in the current field are third-party cookies that you’ve probably never visited, but they’ve been secretly identifying your information through these third-party cookies, And sent your personal information.



At this time to access Tmall, there is no need to log in

Use of third-party cookies
  • Front-end log management

Most Web sites refer to third-party SDKS for front-end exceptions or performance monitoring, which upload the monitored information to their servers through some interface. They typically need to identify each user for troubleshooting or UV statistics, so when you request the site, they may set a Cookie on your site that all subsequent log requests will carry.

Since these third-party SDKS are generally generic services for monitoring, they will definitely have their own domain names, such as log.com, and the cookies they plant under your domain name mysite.com are third-party cookies.

  • Advertising and marketing
    • Facebook Pixel

    In the e-commerce business, tracking traffic, traffic, conversion rate, sales, these are the most concerned about the business. Use Facebook Pixel, which is simply a string of JavaScript code, to track AD conversions, improve audience targeting, and maximize return on AD dollars.

    • mmstat

Our search engine or at home, at ordinary times video website search for something, and then open the shopping site can receive all the features you interest related recommendations, this is the popular commonplace, major shopping sites, advertisers, through third-party cookies to collect your age, gender and browsing history to determine your interest preferences, And give you accurate recommendations. For example, when we browse Baidu, Youku, Tmall and other websites, we can see several cookies under the field of.mmstat.com

The browser’s policy for cookies


After chrome80, the SameSite property of cookie is set to Lax by default to restrict third-party cookies. For systems using third-party cookies, login exceptions and system crashes will often occur. In Safari 13.1 and Firefox 79, third-party cookies are disabled by default

Chrome

Chrome51 adds a new property, SameSite, to browser cookies that prevents them from being sent along with cross-site requests. The primary goal is to reduce the risk of cross-source information leakage. It also prevents CSRF attack to some extent.

This section describes the SameSite properties

SameSite is a cookie property that restricts third-party cookies. It has three values:

  1. Strict (forbid third-party cookies)
  2. Lax (default cookie policy after Chrome80)
  3. None (The browser continues to send Cookies on same-site or cross-site requests, case insensitive.)

Note: When the SameSite for cookies is set to None, Secure needs to be set to true, which means your site must support HTTPS.)

A problem verifying whether it is SameSite

If a third party request setCookie fails, we can use the following actions to verify that it is a SameSite problem. Enter Chrome ://flags/ to find: SameSite by default cookies, cookies without SameSite must be secure Set the preceding two parameters to Disable and restart the browser

The solution

Solution 1: Unify the master domain name

For example, change the domain name of website A from SameSite.a.com to SameSite.b.com, which is consistent with that of website B’s test.b.com. In this way, you need to apply for a new domain name, and the original domain name needs to be redirected to the new domain name.

Solution 2: Upgrade HTTPS

Special attention:

  • SameSite=None Requires setting only for chrome80 and older. Chrome51-chrome66 and some other browsers do not accept SameSite=None.
  • If HTTP and HTTPS are used at the same time, you need to enable Secure only when HTTPS is used. SameSite = None. The reason for this is that when Secure is set to true, the created Cookie is sent to the server in a Secure manner, that is, it can only be sent by the browser to the server for session authentication in an HTTPS connection.

Chrome has also announced that it will disable tripartite cookies in visitor mode in the next version of Chrome83, and that it will disable tripartite cookies in 2022, when specifying SameSite to None won’t make sense.

safari

Third-party cookies are disabled by default. Manually change your browser’s privacy Settings to remove the restriction

All possible problems with cookies are prohibited

Front-end Log Exception

You might have UV inflation, but PV doesn’t change at all. Cause: The third-party Cookie used by the SDK is disabled. The SDK will not be able to write a three-way Cookie to your domain, causing it to bring a new Cookie every time the page is refreshed. The back end mistakenly thinks these are requests from different users and counts them in the UV.

Smart AD recommendations disappear

Unable to track conversion rate

For example, when you view an item, a Cookie will be placed in your browser to indicate that you have seen it. If you then enter the transition phase (buying, collecting, etc.), you can track each of these actions to calculate the impact of your placement and optimize your strategy.