Cookie: SameSite=None experiment Results

Long story short: It’s not safe to create web cookies with SameSite=None and I did an experiment where I tested the SameSite flag by creating cookies in about 770 000 web requests from real visitors. Incompatible browsers: https://www.chromium.org/updates/same-site/incompatible-clients

In the following days this page will be updated with more statistics.

Experiment results:

Data collection:

  • ~ 25 000 – Unique results
  • ~ 770 000 – Payloads
  • Top 5 countries:
    • US
    • UK
    • Canada
    • Australia
    • Netherlands

A link to the 25 000 unique results: https://docs.google.com/spreadsheets/d/1NzDInarIRNgZ5etXeihxgyd5x1cGfVG9jjDPdl2YPu0/edit?usp=sharing

Data analyzes based on the ~ 25 000 unique results:

  • 78.42%  – Success with SameSite=None; Secure .
  • 4.57% – Failed to create a cookie with SameSite=None; Secure but successfully created with the Secure flag.
  • ~ 17%  – Couldn’t be read by JavaScript neither with SameSite=None; Secure nor Secure flag.
A table showing percentages of cases where in a request a cookie was successfully read by JavaScript (in the cases when a cookie couldn’t be read by JavaScript were when a cookie was dropped or created with SameSite=Strict or dropped because of browser bugs):

Notes on the experiment:

With the latest browsers’ releases we started feeling and hearing more about the SameSite cookie attribute: https://web.dev/samesite-cookies-explained/

This attribute has 3 possible values: Lax, Strict and None. It seems that Lax and Strict work “flawlessly” but there are some issues with None. The reason is that None was introduced after the Lax and Strict options were implemented and but some browsers were not prepared for this.

Here is what happens on incompatible browsers when we have SameSite=None:

  • A cookie is dropped/not created. (that’s kind of scary)
  • A cookie is created as SameSite=Strict.

More details about incompatible browsers: https://www.chromium.org/updates/same-site/incompatible-clients

The metod:

In a third-party Iframe we:

  • created cookies in different combinations of the SameSite attribute and the Secure flag with JavaScript and Response Headers
  • created cookies skipping the SameSite attribute and the Secure flag with JavaScript and Response Headers
  • created cookies with different lifetime with JavaScript and Response Headers
  • deleting some cookies with JavaScript

Once the cookies are created we read them via JavaScript and send the cookies on a GET/query param and Request Headers.

The setup:

An example payload:

Leave a Reply

Your email address will not be published. Required fields are marked *