A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence

Luca Compagna; H.L. Jonker; Johannes Krochewski; Benjamin Krumnow; Merve Sahin

doi:10.1109/eurospw54576.2021.00012

A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence

Luca Compagna, H.L. Jonker, Johannes Krochewski, Benjamin Krumnow, Merve Sahin

Research output: Chapter in Book/Report/Conference proceeding › Conference Article in proceeding › Academic › peer-review

Abstract

The SameSite cookie attribute was introduced to prevent Cross-site Request Forgery (CSRF) attacks. Major browsers support SameSite functionality since 2016. Since 2020, browsers enforce it by default. These developments sometimes have been celebrated as the end of CSRF. In this paper, we have a closer look into the potential of SameSite mechanism to effectively fight CSRF in practice. Our measurements and evaluations over most popular websites indicate that, if properly deployed, the SameSite mechanism can be effective against the major CSRF attack scenario. Still, like any other countermeasure, it is not likely to be a silver bullet to end CSRF, due to various scenarios that require additional protection. We refactor our findings in a set of guidelines for the web community on how to make best use of SameSite and what it is left to do to fight CSRF.

Original language	English
Title of host publication	IEEE European Symposium on Security and Privacy Workshops
Subtitle of host publication	(EuroS&PW)
Publisher	IEEE
Pages	49-59
Number of pages	11
ISBN (Electronic)	978-1-6654-1012-0
ISBN (Print)	978-1-6654-1013-7
DOIs	https://doi.org/10.1109/eurospw54576.2021.00012
Publication status	Published - 29 Oct 2021
Event	2021 IEEE European Symposium on Security and Privacy Workshops - Vienna, Austria Duration: 6 Sept 2021 → 10 Sept 2021 https://ieeexplore.ieee.org/xpl/conhome/9583613/proceeding

Conference

Conference	2021 IEEE European Symposium on Security and Privacy Workshops
Country/Territory	Austria
City	Vienna
Period	6/09/21 → 10/09/21
Internet address	https://ieeexplore.ieee.org/xpl/conhome/9583613/proceeding

Keywords

Browser security
CSRF
SameSite

Access to Document

10.1109/eurospw54576.2021.00012

Cite this

@inproceedings{33e17333b4f345fe8cbe919deb72cebb,

title = "A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence",

abstract = "The SameSite cookie attribute was introduced to prevent Cross-site Request Forgery (CSRF) attacks. Major browsers support SameSite functionality since 2016. Since 2020, browsers enforce it by default. These developments sometimes have been celebrated as the end of CSRF. In this paper, we have a closer look into the potential of SameSite mechanism to effectively fight CSRF in practice. Our measurements and evaluations over most popular websites indicate that, if properly deployed, the SameSite mechanism can be effective against the major CSRF attack scenario. Still, like any other countermeasure, it is not likely to be a silver bullet to end CSRF, due to various scenarios that require additional protection. We refactor our findings in a set of guidelines for the web community on how to make best use of SameSite and what it is left to do to fight CSRF.",

keywords = "Browser security, CSRF, SameSite",

author = "Luca Compagna and H.L. Jonker and Johannes Krochewski and Benjamin Krumnow and Merve Sahin",

year = "2021",

month = oct,

day = "29",

doi = "10.1109/eurospw54576.2021.00012",

language = "English",

isbn = "978-1-6654-1013-7",

pages = "49--59",

booktitle = "IEEE European Symposium on Security and Privacy Workshops",

publisher = "IEEE",

address = "United States",

note = "2021 IEEE European Symposium on Security and Privacy Workshops ; Conference date: 06-09-2021 Through 10-09-2021",

url = "https://ieeexplore.ieee.org/xpl/conhome/9583613/proceeding",

}

Compagna, L, Jonker, HL, Krochewski, J, Krumnow, B & Sahin, M 2021, A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence. in IEEE European Symposium on Security and Privacy Workshops: (EuroS&PW). IEEE, pp. 49-59, 2021 IEEE European Symposium on Security and Privacy Workshops, Vienna, Austria, 6/09/21. https://doi.org/10.1109/eurospw54576.2021.00012

A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence. / Compagna, Luca; Jonker, H.L.; Krochewski, Johannes et al.
IEEE European Symposium on Security and Privacy Workshops: (EuroS&PW). IEEE, 2021. p. 49-59.

Research output: Chapter in Book/Report/Conference proceeding › Conference Article in proceeding › Academic › peer-review

TY - GEN

T1 - A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence

AU - Compagna, Luca

AU - Jonker, H.L.

AU - Krochewski, Johannes

AU - Krumnow, Benjamin

AU - Sahin, Merve

PY - 2021/10/29

Y1 - 2021/10/29

N2 - The SameSite cookie attribute was introduced to prevent Cross-site Request Forgery (CSRF) attacks. Major browsers support SameSite functionality since 2016. Since 2020, browsers enforce it by default. These developments sometimes have been celebrated as the end of CSRF. In this paper, we have a closer look into the potential of SameSite mechanism to effectively fight CSRF in practice. Our measurements and evaluations over most popular websites indicate that, if properly deployed, the SameSite mechanism can be effective against the major CSRF attack scenario. Still, like any other countermeasure, it is not likely to be a silver bullet to end CSRF, due to various scenarios that require additional protection. We refactor our findings in a set of guidelines for the web community on how to make best use of SameSite and what it is left to do to fight CSRF.

AB - The SameSite cookie attribute was introduced to prevent Cross-site Request Forgery (CSRF) attacks. Major browsers support SameSite functionality since 2016. Since 2020, browsers enforce it by default. These developments sometimes have been celebrated as the end of CSRF. In this paper, we have a closer look into the potential of SameSite mechanism to effectively fight CSRF in practice. Our measurements and evaluations over most popular websites indicate that, if properly deployed, the SameSite mechanism can be effective against the major CSRF attack scenario. Still, like any other countermeasure, it is not likely to be a silver bullet to end CSRF, due to various scenarios that require additional protection. We refactor our findings in a set of guidelines for the web community on how to make best use of SameSite and what it is left to do to fight CSRF.

KW - Browser security

KW - CSRF

KW - SameSite

U2 - 10.1109/eurospw54576.2021.00012

DO - 10.1109/eurospw54576.2021.00012

M3 - Conference Article in proceeding

SN - 978-1-6654-1013-7

SP - 49

EP - 59

BT - IEEE European Symposium on Security and Privacy Workshops

PB - IEEE

T2 - 2021 IEEE European Symposium on Security and Privacy Workshops

Y2 - 6 September 2021 through 10 September 2021

ER -

A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this