samesite-lax-demo

Background on my blog: Exploring the SameSite cookie attribute for preventing CSRF

This repo holds some tools for exploring the implementation of SameSite=Lax (and SameSite=Strict and SameSite=None) in your browser.

You can set those cookies on this site: https://samesite-lax-demo.vercel.app/

And then use the buttons on https://simonw.github.io/samesite-lax-demo/ - deliberately hosted on an entirely separate domain - to see how they affect navigation to that site using both links and form submissions.

In my explorations using Firefox 89 I get the following:

• For SameSite=Strict the cookie I have set is NOT displayed for both link and form navigations
• For SameSite=None the cookie I have set is displayed for both link and form navigations
• For SameSite=Lax the cookie shows for link navigations but NOT for form navigations