| ▲ | edoceo 6 days ago | |
This doesn't match my experience. What am I doing different? Example I set SameSite=Strict on www.edoceo.com and then visiting app.edoceo.com the cookie is not there? They are different sites, different origins. And the cookie is set to the domain (ie: host, ie: www.edoceo.com) | ||
| ▲ | FiloSottile 6 days ago | parent [-] | |
For CSRF (and for SameSite), you are not looking at what cookies are sent to attacker.example.com, but what cookies are sent to target.example.com if a request is originated from attacker.example.com (or from attacker.com). | ||