Mozilla engineers are planning to add a new security feature to Firefox with the addition of same-site cookie support in Firefox 60, scheduled for release next month, on May 9.
The same-site cookie feature is meant to block websites from loading cookies downloaded from other domains that do not match the URL present in the Firefox address bar. For example, with same-site cookie enabled on a website, Firefox won’t load cookies from facebook.com if a user is currently visiting domain.com.
Same-site cookies will help defend against CSRF attacks
Firefox devs say the same-site cookie feature (also spelled SameSite) is intended to protect users against cross-site request forgery (CSRF) attacks.
CSRF takes place when attackers trick users into taking an action but forge another operation in the background. For example, a user might click on a malicious link, but the attacker uses the click to submit modified account settings on another site by hijacking local cookies.
This usually happens because browsers automatically attach cookies sent with every browser request for a specific domain. Attackers abuse this “cookie auto-appending” mechanism to make requests to other sites, effectively hijacking the user’s other locally-stored cookies —while the user is on a totally different site— to perform malicious operations without the user’s knowledge, on legitimate sites.
Because of the current design of web technologies, web apps and websites cannot reliably distinguish between actions initiated by an actual user and those carried out by automated scripts, such as the scripted actions of a CSRF attack.
By adding support for same-site cookies in Firefox, Mozilla engineers are giving website operators a new setting they can configure for their apps and portals and prevent attackers from hijacking cookies for nefarious actions.
Website owners must add support for the SameSite attribute
But this isn’t a security feature that depends on users, or Mozilla, for that matter. The “SameSite” attribute must be set by website owners in their site’s HTTP response headers, similarly to how they’d configure the standard Set-Cookie header field.
According to the IETF specification, two settings will be available for website operators —Strict and Lax.
When a website owner uses a “strict” setting for his website, Firefox will refuse to attach cookies for other HTTP requests if they are not for the same domain as the URL loaded in the address bar.
Chrome has been supporting same-site cookies since version 63, released in December 2017. Other browsers that support same-site cookies are Opera (since v51), Chrome for Android (since v64), and Samsung Internet (since v6.2).
A few years ago I pitched an idea to my boss at Mozilla. Today, we announce support for same-site cookies in @firefox. Thanks @joewalker, @mikewest, Christoph Kerschbaumer, @fmarier, @mozsec and everyone else that listened or helped along the way: https://t.co/vthyOzblms
— Mark Goodwin (@mr_goodwin) April 24, 2018