Edge browser introduces same-site cookies to prevent cross-site request forgery attacks

In the Windows Insider Preview compilation (build 17672) version that was pushed yesterday, Microsoft introduced support for “same-site cookies” for Edge browsers, which was ahead of schedule for Microsoft Edge and Internet Explorer. Compared with the full-featured build 17666, build 17672 is not a big update. However, its introduction of SameSite Cookies can give users more protection against cross-site facsimile forgery (CSRF) attacks.

Take example.com as an example. If it wants to make “cross-origin requests” for other sites (such as microsoft.com), it usually causes the browser to send the latter cookie as part of the request.

Image: Microsoft

Although users can benefit from “reusing certain states across sites” (such as login state), this feature can easily be abused, such as CSRF attacks. In the defense in depth strategy, the same-site cookie will be a valuable supplement.

To expand the security advantage of this feature, Microsoft decided to deploy same-site cookie support to the Windows 10 creator update, and subsequent versions of Edge and IE11 browsers.

Source: Neowin