This week Mozilla announced that the upcoming Firefox 60 version will implement a new Cross-Site Request Forgery (CSRF) protection by introducing support for the same-site cookie attribute.
An attacker can launch a CSRF attack to perform unauthorized activities on a website on behalf of authenticated users, this is possible by tricking victims into visiting a specially crafted webpage.
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. ” reads the OWASP.
“Firefox 60 will introduce support for the same-site cookie attribute, which allows developers to gain more control over cookies. Since browsers will include cookies with every request to a website, most sites rely on this mechanism to determine whether users are logged in.” reads the announcement published by Mozilla.
These types of attacks leverage the fact that every request to a website includes cookies and many sites rely on these cookies for authentication purposes.
According to Mozilla there currently there is no way to reliably determine if a request has been initiated by the legitimate user or if it comes from a third-party script.
“Unfortunately current web architecture does not allow web applications to reliably distinguish between actions initiated by the user and those that are initiated by any of the third-party gadgets or scripts that they rely on.” continues the announcement.
“To compensate, the same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from. Requests triggered from a URL different than the one that appears in the URL bar will not include any of the cookies tagged with this new attribute.”
The attributes can have only two values:
In ‘strict‘ mode, when a user clicks on an inbound link from external sites to the application, he will initially be treated as ‘not being logged in even if they have an active session with the site.
The ‘lax‘ mode, is implemented for applications that may be incompatible with the strict mode. In the lax mode same-site cookies will be withheld on cross-domain subrequests (e.g. images or frames) but will be sent whenever a user navigates from an external site, for example by following a link.
(Security Affairs – CSRF, Mozilla)