You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 6-data-storage/01-cookie/article.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -214,7 +214,7 @@ The cookie `samesite` option provides another way to protect from such attacks,
214
214
215
215
It has two possible values:
216
216
217
-
-**`samesite=strict` (same as `samesite` without value)**
217
+
-**`samesite=strict`**
218
218
219
219
A cookie with `samesite=strict` is never sent if the user comes from outside the same site.
220
220
@@ -230,7 +230,7 @@ When a user follows a legitimate link to `bank.com`, like from their own notes,
230
230
231
231
We could work around that by using two cookies: one for "general recognition", only for the purposes of saying: "Hello, John", and the other one for data-changing operations with `samesite=strict`. Then, a person coming from outside of the site will see a welcome, but payments must be initiated from the bank's website, for the second cookie to be sent.
232
232
233
-
-**`samesite=lax`**
233
+
-**`samesite=lax` (same as `samesite` without value)**
234
234
235
235
A more relaxed approach that also protects from XSRF and doesn't break the user experience.
0 commit comments