학술논문
A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence
Document Type
Conference
Source
2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) EUROSPW Security and Privacy Workshops (EuroS&PW), 2021 IEEE European Symposium on. :49-59 Sep, 2021
Subject
Language
ISSN
2768-0657
Abstract
The SameSite cookie attribute was introduced to prevent Cross-site Request Forgery (CSRF) attacks. Major browsers support SameSite functionality since 2016. Since 2020, browsers enforce it by default. These developments sometimes have been celebrated as the end of CSRF. In this paper, we have a closer look into the potential of SameSite mechanism to effectively fight CSRF in practice. Our measurements and evaluations over most popular websites indicate that, if properly deployed, the SameSite mechanism can be effective against the major CSRF attack scenario. Still, like any other countermeasure, it is not likely to be a silver bullet to end CSRF, due to various scenarios that require additional protection. We refactor our findings in a set of guidelines for the web community on how to make best use of SameSite and what it is left to do to fight CSRF.