Cross-site requests do not include same-site cookies, but what happens if such a request leads to a redirection within the target site?
I tested this with the following Node.js express app running on
app.get("/a", function(req, res) {
res.cookie("a", "b", {sameSite: "strict", secure: true, httpOnly: true});
.get("/b", function(req, res) {
.get("/c", function(req, res) {
.get("/d", function(req, res) {
res.send(`<!DOCTYPE html><html><body onload="location.href='/b'"></body></html>`);
and an HTML page
that contains cross-site hyperlinks to
I performed the following steps with Google Chrome (version 109.0.5414.75):
in a browser window. This sets the same-site cookie.
link does not send the same-site cookie./c
link does not send the same-site cookie, neither with the first request GET /c
(which leads to an HTTP redirection) nor with the second request GET /b
that results from the redirection./d
link does not send the same-site cookie with the first request GET /d
(which serves an HTML page), but does send it with the second request GET /b
that results from the Javascript redirection in the HTML page.I am surprised by the difference in behavior between steps 4 (HTTP redirection) and 5 (Javascript redirection).
The difference is explained by criterion 3 in the definition of same-site. A same-site cookie is sent in a request whose client has the same origin as its URL. In the given example, this means that the request's client must have origin
for the cookie to be sent.
, because the request's client does not change during an HTTP-redirect fetch.
, because an HTML page from that origin has been loaded and the second request is a second scheme fetch, not an HTTP-redirect fetch.