I wasn’t really following this whole SameSite thing but between Safari and Chrome and various versions it looks like they made the problem worse.
The idea is great. Basically browser vendors finally realized that most websites don’t need cookies for cross-site requests so it switched from opt out via CSRF busting techniques to opt-in.
Except isn’t following cross-site links basically a GET request initiated by a different referer? So now will the strict mode not have me logged in when someone follows a link to some site that set it? Is that why the default is LAX? And under Lax, what about html form posts to top-level documents? That should go without cookies, right?
The idea is great. Basically browser vendors finally realized that most websites don’t need cookies for cross-site requests so it switched from opt out via CSRF busting techniques to opt-in.
Except isn’t following cross-site links basically a GET request initiated by a different referer? So now will the strict mode not have me logged in when someone follows a link to some site that set it? Is that why the default is LAX? And under Lax, what about html form posts to top-level documents? That should go without cookies, right?