I'm trying to understand why a SameSite cookie attribute's Strict mode prevents cookies from being loaded during top-level navigation and similar. That is, how can an attacker possibly exploit a Lax mode in the first place?
Since I'm getting the message "Your question appears to be spam." with no other explanation, I'm not sure how else to post it so I've taken screenshots from the rendered Markdown.
Since I don't have enough reputation (10) and it's difficult to gain it, I can't display the images in this post.
Imagine you are always logged on to a trusted website that restricts the number of requests you can make daily (for example, read only so and so many posts from a microblogging website). If the session cookie that authenticates you to this website is lax, a malicious website could redirect you to the trusted website and thereby consume one request from your daily quota. This may be to no-one's advantage but it is to your disadvantage.
If the session cookie was strict, a conforming browser would not send it in the malicious request, because it originates from a different website. Therefore you would not be logged on to the microblogging website with that request and would not consume from your daily quota.
The window object offers no attack avenue: The Javascript code that can access the window object is controlled by the respective website. When accessing window.document, the malicious website sees its own document, and the trusted website sees its own document. Besides, HTTP-only cookies are never visible in this way.
