The specification permits Lax cookies to be transmitted with cross-site requests only if they are top-level and have a safe method, such as GET (but not POST). If a request is made within an iframe, it is not considered top-level, so Lax cookies will not be sent with a cross-site request regardless of the request method. This measure helps to prevent CSRF by preventing unauthorized websites from making authenticated requests to third-party sites that include session cookies.
The stringency of cookie handling pertains to the sending of cookies by your browser, while your evaluation focused on the receiving of cookies.
The cookie’s return to its origin is determined by the SameSite setting used by the browser.
Referring to the explanation of SameSite cookies.
By setting SameSite as Strict, the cookie will solely be sent in a first-party context. This means that the cookie will only be transmitted if the website for the cookie matches the current website displayed in the browser’s URL bar. Therefore, if the promo_shown cookie is established in this manner:
The cookie named “promo_shown” has been set to a value of 1. Its SameSite attribute has been set to Strict.
Once the user is already on your website, the cookie will be included in the request as anticipated. However, if the user arrives at your website through a link from another site or an email from a friend, the cookie will not be sent with the initial request.
On the other hand, the SameSite=Lax setting permits the cookie to be sent for the primary navigations, which include clicking on a link in an email or following a link on a different website, as mentioned earlier.
Included in the summary on MDN is the third value, which is SameSite=None.
There are three possible values that can be accepted by the SameSite attribute.
By default, modern browsers permit cookies to be transmitted during top-level navigations and included in third-party website GET requests.
Cookies will exclusively transmit in a primary context and refrain from transmitting with inquiries activated by external websites.
In all contexts, including cross-origin, cookies are permitted to be sent.
Prior to recent browser versions, the default value for defense against certain CSRF attacks was none. However, Lax has become the new default value, providing a reasonably robust defense mechanism.
The Secure attribute is no longer necessary in the latest versions of web browsers.
In case the HTML forms used in the example are from a different website other than mysite.com, then SameSite=Strict won’t send the cookies back to mysite.com. However, if SameSite=Lax is used and the form has method=”get”, the cookies will be sent by the browser. Nevertheless, cookies won’t be sent if method=”post” is used.
When the SameSite attribute is set to Strict, cookies are sent through links in emails, but only if the email client is a standalone application and not browser-based. Clicking on a link in a web app such as Gmail constitutes a cross-domain request, which is blocked by the browser.
Under the SameSite Strict setting, cookies will be transmitted in the following scenarios:
- Navigating through hyperlinks within the identical website.
- Typing the URL directly into the browser’s address bar.
- Clicking on a hyperlink within a non-web browser program, such as an email application or a document editing software.
When set to Lax, SameSite is included in all the aforementioned situations.
- If a ‘safe’ method (GET, HEAD, OPTIONS) is used when accessing a top-level link from another domain, the URL in the address bar changes and the cookie will not be sent through a request made in an IMG tag, IFRAME, or other means.