Set-Cookie HTTP header 和 CSRF 的松散与严格

Lax vs Strict for Set-Cookie HTTP header and CSRF

我刚刚在看书 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie:

Lax: The cookie is not sent on cross-site requests, such as calls to load images or frames, but is sent when a user is navigating to the origin site from an external site (e.g. if following a link). This is the default behavior if the SameSite attribute is not specified.

如果这是默认设置,那么这是否意味着 CSRF 攻击不会发生? 如果有人加载一个在后台运行 Javascript 的恶意网站,向受害者当前登录的网站发出简单的 POST 请求,则默认行为是不会发送 cookie,对吗?

此外,为什么有人会选择使用 Strict 而不是 Lax? 为什么你会想要阻止用户的浏览器在导航到该网站时向源网站发送 cookie,而这正是 Strict 所做的?

SameSiteLax 时,CSRF 攻击仍然可能发生。它可以防止您提到的跨站点 POST 攻击,但是如果网站通过 GET 请求触发不安全操作,那么它仍然是可能的。例如,许多站点当前使用 GET 请求触发注销,因此攻击者将用户从会话中注销是微不足道的。

标准addresses this直接:

Lax enforcement provides reasonable defense in depth against CSRF attacks that rely on unsafe HTTP methods (like "POST"), but does not offer a robust defense against CSRF as a general category of attack:

  1. Attackers can still pop up new windows or trigger top-level navigations in order to create a "same-site" request (as described in section 5.2.1), which is only a speedbump along the road to exploitation.

  2. Features like <link rel='prerender'> can be exploited to create "same-site" requests without the risk of user detection.

鉴于此,有人会使用 Strict 的原因很简单:它可以防止更广泛的 class CSRF 攻击。当然,这是一种权衡,因为它会阻止某些使用您网站的方式,但如果这些用例对您不重要,那么权衡可能是合理的。