Buzz
Among the list of significant improvements that Microsoft deploys in the Windows 10 build 17672 release, the support for Same-Site Cookie on the Microsoft Edge and Internet Explorer 11 browsers cannot be overlooked.
To understand what Cookies are, refer to the article What are Cookies available here
In today's blog post, the company extensively explains the addition of Same-Site Cookie support in the browser to shield users from cross-site request forgery (CSRF) attacks. Web developers can set the SameSite attribute on cookies on their websites to prevent cookies from being sent from the website to external domains.
Microsoft initiates testing of Same-Site Cookie on Windows 10
Previously, websites like example.com generated 'cross-origin requests' to other domains like microsoft.com, causing the browser to send cookies from microsoft.com as part of the request.
Typically, users benefit by reusing certain states (such as login status) on any preferred websites. However, malicious actors can exploit this to carry out attacks, notably CSRF attacks. Same-Site cookies hold value in protecting against deep attacks in the defense against CSRF attacks.
Now, websites can configure the SameSite attribute on their selected cookies using the Set-Cookie header or utilize the document.cookie JavaScript attribute to prevent the default browser behavior of sending cookies in cross-site requests or all cross-site requests (via the 'strict' value) or only some less sensitive requests (via the 'lax' value).
Specifically, if the 'strict' attribute is specified when setting up a same-site cookie, it will not be sent for any cross-site requests, including clicks on links from external websites. As the login status is stored as a SameSite=Strict cookie, when users click on this link, it will appear as if the user is not logged in.
On the other hand, if the 'lax' attribute is specified when setting up a same-site cookie, it will not be sent for cross-origin sub-resource requests such as images. However, the SameSite=Lax cookie will be sent when navigating from an external website, such as when clicking on a link.
For developers concerned about backward compatibility, Microsoft has clarified that browsers not supporting same-site cookies will ignore the attribute and handle processes as required. In other words, this feature does not negatively impact browsers that do not support the functionality.
Same-Site Cookie is currently undergoing testing in the Redstone 5 development branch. Microsoft states that this feature will be added to the Microsoft Edge and Internet Explorer 11 browsers on Windows 10 Creators Update and higher versions.
If you don't want websites to store your browsing history and cookies, refer to how to delete history, delete cookies in your web browser here
In cases where you want to automatically delete cookies when closing your web browsers, check out how to automatically delete cookies when closing the browser here
Although recently tested on Windows 10, Same-Site Cookies have long been present in Firefox and Chrome browsers. Additionally, to ensure maximum user safety, Chrome removes the Secure indicator from HTTPS websites in September as part of the 'HTTPS 100%' plan, ensuring that all websites loaded in Chrome use the secure HTTPS protocol.
