Background: I'm working on an application where I'm looking into further restricting my cross-site cookies by modifying the default value for SameSite on my cookies. Before I make the change, I'm investigating to get a better sense of which requests will be affected by a change from Lax to Strict.
Per XS-Leaks:
The only difference between
LaxandStrictis thatLaxmode allows cookies to be added to requests triggered by cross-site top-level navigations. This makesLaxcookies much easier to deploy since they won’t break incoming links to your application.
(See also: this RFC draft)
To narrow down the relevant requests in my logs, I'm looking at requests that have the Sec-Fetch-Site header set to cross-site. I'm wondering if I can also get a sense of which interactions involve top-level navigation by looking at the Sec-Fetch-Mode header. Does the navigation value for that header correspond exactly to the definition of top-level navigation for the purpose of sending SameSite Lax cookies?