ID: js/samesite-none-cookie Kind: problem Security severity: 5.0 Severity: warning Precision: medium Tags: - security - external/cwe/cwe-1275 Query suites: - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Authentication cookies where the SameSite attribute is set to “None” can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.
With SameSite set to “None”, a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.
Recommendation¶
Set the SameSite attribute to Strict on all sensitive cookies.
Example¶
The following example stores an authentication token in a cookie where the SameSite attribute is set to None.
const http = require('http'); const server = http.createServer((req, res) => { res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`); res.writeHead(200, { 'Content-Type': 'text/html' }); res.end('<h2>Hello world</h2>'); });
To prevent the cookie from being included in cross-site requests, set the SameSite attribute to Strict.
const http = require('http'); const server = http.createServer((req, res) => { res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`); res.writeHead(200, { 'Content-Type': 'text/html' }); res.end('<h2>Hello world</h2>'); });
References¶
MDN Web Docs: SameSite cookies.
OWASP: SameSite.
Common Weakness Enumeration: CWE-1275.