Looks like Windows 10 browsers are about to pick up a new feature. Microsoft has confirmed that it has started testing SameSite cookies on the most recent preview builds released for the OS.
An early implementation, so to say.
The SameSite cookies standard adds a new security layer to Windows 10, helping protect users against cross-site request forgery (CSRF) attacks. Windows 10 build 17672 comes with support for this in Microsoft Edge, Internet Explorer will also get in on the act soon.
Redmond has explained this in detail, with a technical analysis outlining what SameSite cookies can do on Windows 10 Creators Update and newer.
“Historically, sites such as example.com that make “cross-origin” requests to other domains such as microsoft.com have generally caused the browser to send microsoft.com’s cookies as part of the request.
Normally, the user benefits by being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defense in depth against CSRF attacks.”
Good thing is for those running older versions of Windows 10 is that this feature is backwards compatible and browsers lacking it will be instructed to use a regular cookie and ignore the new attribute.
No timeline on when this feature gets rolled out, keeping in view the fact that SameSite cookies are still in the works at the Internet Engineering Task Force (IETF).
But Microsoft suggests that it will be released when ready.
If anything, we may even get it before Redstone 5 is launched, seeing as this feature is set to be released for older versions of Windows 10 too.
Let’s see.
