A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence

Luca Compagna, H.L. Jonker, Johannes Krochewski, Benjamin Krumnow, Merve Sahin

Research output: Chapter in Book/Report/Conference proceedingConference Article in proceedingAcademicpeer-review

Abstract

The SameSite cookie attribute was introduced to prevent Cross-site Request Forgery (CSRF) attacks. Major browsers support SameSite functionality since 2016. Since 2020, browsers enforce it by default. These developments sometimes have been celebrated as the end of CSRF. In this paper, we have a closer look into the potential of SameSite mechanism to effectively fight CSRF in practice. Our measurements and evaluations over most popular websites indicate that, if properly deployed, the SameSite mechanism can be effective against the major CSRF attack scenario. Still, like any other countermeasure, it is not likely to be a silver bullet to end CSRF, due to various scenarios that require additional protection. We refactor our findings in a set of guidelines for the web community on how to make best use of SameSite and what it is left to do to fight CSRF.
Original languageEnglish
Title of host publicationIEEE European Symposium on Security and Privacy Workshops
Subtitle of host publication(EuroS&PW)
PublisherIEEE
Pages49-59
Number of pages11
ISBN (Electronic)978-1-6654-1012-0
ISBN (Print)978-1-6654-1013-7
DOIs
Publication statusPublished - 29 Oct 2021
Event2021 IEEE European Symposium on Security and Privacy Workshops - Vienna, Austria
Duration: 6 Sep 202110 Sep 2021
https://ieeexplore.ieee.org/xpl/conhome/9583613/proceeding

Conference

Conference2021 IEEE European Symposium on Security and Privacy Workshops
Country/TerritoryAustria
CityVienna
Period6/09/2110/09/21
Internet address

Fingerprint

Dive into the research topics of 'A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence'. Together they form a unique fingerprint.

Cite this