I would like to secure my cookies using SameSite=strict. But is there a way to allow it to be accessed by few domains alone?
Samesite cookie but allow specific domain
874 views Asked by JC Raja At
2
There are 2 answers
0
Heiko Theißen
On
Take a look at the upcoming First Party Sets proposal from Google. This allows certain domains to be treated as if requests between them were same-site.
Note, however, that this is still in an early stage, is for now Google-specific and requires you to register the domains in a public repository.
Related Questions in GOOGLE-CHROME
- How to tweak the security policy of Chrome, in order to run "unsafe" snippets in the console?
- Is it possible to manipuate 3rd party Chrome Extensions Network Reqeuests?
- undetected_chromedriver urllib.error.URLError
- Load testing k6 browser + docker
- Editor texto estilo WYSIWYG
- NodeJS crashing chrome browser
- Difficulty Accessing HTTP URLs/IP Addresses Due to Browser Redirecting to HTTPS: Seeking Solutions
- Chrome extension MV3: persistent service worker die after wake up from hibernation
- Attempting to Bundle a Require Command For a Chrome Extension
- Launch URL from C# and detect when browser is closed
- Python selenium scrap data from dynamic website table
- Google Chrome is consuming a lot of CPU on a video call?
- Component drawing error React App on Android + Chrome
- Chrome Selenium CDP Bidi API - Next Commands sended to Target Session have no effect while the initial one does work
- Devtools not working when i try to inspect elements for selenium python it goes to previous page
Related Questions in COOKIES
- Loading Google Analytics after the user consents to cookie usage
- Express session is not seened in server code
- Cookie doesn't send different domain django and react
- Storing settings in cookies
- Cant handle Session's cookie when Safari/iOS
- Create new cookie with host only set to false in chrome extension
- 3rd Party cookies error on deployment server
- Access Cookies in TRPC fetch handler
- My project uses cookiebot but when I accept cookies at the start of website it deletes my localstorage data
- Postman receiving cookie but my browser isn't receiving it when I try
- Nextjs: Ability to fetch HTTPS-ONLY cookies using server actions, is there a vulnerability?
- Cant send cookie at res when user using Safari/iOS
- Initialize a singleton from cookies for a ASP.NET Core Razor project
- JS doesn't put cookies after domain change for localhost
- Unable to set cookies from hosted backend (https://dev.abcd.com) to localhost of frontend
Related Questions in SETCOOKIE
- How to implement http-only cookie auth from aws hosted backend to locally hosted frontend?
- php cookies are not working the same on mobile browsers and on pc browsers
- Browser Not Storing Cookies React & ExpressJS
- Is there a way to set a cookie using JS and force a dynamic element reliant on the cookie to update without reloading the page?
- Facing issue when canvas iframe login(Pingfed oauth2.0) app in salesforce
- Why does Chrome & Edge reject Set-Cookie as having invalid syntax, but not FireFox
- How to Intercept and Forward Cookies in Python Flask
- Custom cookies not created in Firefox - NS_BINDING_ABORTED
- setCookie() in Nuxt3 server
- Conection and send cookie between multiple AppService - Azure
- Browser is not sending the cookie with fetch, allthough server and frontend have the same ip address (but different ports)
- Spring boot, cookies on ip address domain
- expressjs cookies aren't showing up in client
- Cookie doesn't getting saved in Nextjs using cookies-next
- res.cookie("access", value) Cookie is not storing on browser
Related Questions in SAMESITE
- Why is Sec-Fetch-Site: cross-site when redirecting to same-site
- NextJs not setting the cookie from django csrf_token
- Browser is not sending the cookie with fetch, allthough server and frontend have the same ip address (but different ports)
- Cookies on localhost not being set... what to do?
- something weird with samesite cookies
- Angular SPA which is used as Frontend for my custom OIDC provider is not sending session cookie to my backend /signin API
- Can I recreate next-auth v4 session on the client side in iframe?
- Passport.js - Chrome will not allow cross-site cookies
- JSESSIONID cookie dropped and recreated upon receiving SSO response on iPhone app though SameSite policy is set
- How is SameSite defined for domains which are not on the public suffix list?
- Reasons samesite=none not sent
- SpringBoot - How I can configure samesite none Csrf Cookie (Spring Security 6.2)
- Storing jwt in httponly cookie requires both frontend and backend apps to be on the same domain (MERN)
- Chrome 3rd party cookie in iframe (SameSite=None; Secure)
- Why Cookies with SameSite=None aren't sent within an <iframe> in Firefox and Chrome?
Related Questions in CROSS-SITE
- Bad parameter in WebDriver url causes cross-site request
- OWASP CSRFGuard JavaScript was included from within an unauthorized domain
- Angular app fails to set a cookie via ASP.NET Web API
- Is this POC a real XSS vulnerability?
- Accessing session information from another tab and site
- SpringBoot - How I can configure samesite none Csrf Cookie (Spring Security 6.2)
- Will cookies be sent in cross-site context if sent between domain and subdomain?
- Preventing cross-site scripting in ASP.NET MVC pages
- How can I mitigate an inputHidden XSS vulnerability on JSF according to Fortify SAST?
- Ajax call from apsx to code behind causes 500 error - Referrer Policy: strict-origin-when-cross-origin in .net
- How to store iframe website cookies in parent website (chrome and microsoft edge)?
- Is it possible to display the navigation menu from a Wordpress site on a separate Hubspot site?
- I need to inject the code with eval() function to complete my task, do i need to changes in eval() funcction?
- Maintain auth session when POSTing from external site - Django
- XSS vulnerability demonstration code - Script not executing as expected
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Whitelisting
strictreferral domains would be a fantastic enhancement to cookie mgmt, but AFAIK this doesn't exist.I am evaluating my own solution to set cookies to
LAXand then implementing my own whitelist that permits specific referrers, if the referring/redirecting website is not on the whitelist to then delete all cookies and force user to the login page. This would momentarily list/present existing cookies, which could be captured, but would be useless because the page(s) that were redirected to would immediately delete the cookies because the referrer wasn't whitelisted.