Partitioned cookie protection against cross-site attacks (in comparison to SameSite=Lax/Strict) #96
Description
The security considerations section of the document should be made very clear on the protection (or the lack of) that Partitioned cookies provide against cross-site attacks in comparison to SameSite=Lax/Strict cookies.
The document touches this topic in 3 places:
It's important to note that Partitioned does not offer all of the same protections as SameSite=Lax/Strict. For example, consider the case when 3p.com is compromised by a malicious actor and is still embedded on 1p.com. In that case, the attacker could embed 1p.com into 3p.com's frame when 1p.com is the top-level site, and the attacker would have access to 1p.com's Partitioned cookies.
Partitioning cross-site cookies makes XSS attacks less powerful, since an attacker would need to navigate the user's browser to a compromised cookie's top-level site in order for the browser to send the cookie at all.
Cross-site cookies with the Partitioned attribute are less susceptible to CSRF attacks than unpartitioned, third-party cookies. This is because a Partitioned cookie is only sent in requests when the browser is visiting the top-level site the cookie was created in, so a malicious top-level site will not be able to forge a request with an existing Partitioned cookie (unless they have compromised the top-level site that the cookie was sent from).
The used wording "some protection/less powerful/less susceptible" should be replaced with a clear statement that partitioned cookies do not provide any protection against XSS and CSRF attacks, in comparison to protection that is provided by SameSite=Lax/Strict cookies.
As far as it looks to me:
- While
SameSite=Lax/Strictcookies provide complete protection against POST-based CSRF,partitionedcookies leave the website vulnerable to both GET and POST-based CSRF attacks. However, exploitation of a CSRF vulnerability withpartitionedcookies require to navigate the victim's browser to the vulnerable site (the same applies to XSS exploitation). Partitionedcookies seem to prevent timing and embedding based XS-Leaks. However, this might not(?) hold if the target website iframes a website compromised by the attacker (see the 1p.com/3p.com example above).