In part 1 we looked at the SameSite attribute, here we will run through a quick demo of an CSRF (Cross site request forgery) attack being performed with Chrome’s enforcement enabled.

Note: when attempting this on the latest version of Chrome (version 80 at the time of writing) it didn’t work. The following reference here says this change will be in place later on in February. This meant that currently this feature had to be enabled via chrome://flags/#same-site-by-default-cookies. To try this yourself please go to

This demo application provides the following greeting page when first visited with no cookie set:

Samesite Graphic 1

Simply entering a name and clicking “Set Name” will set the cookie “name” with this value that is entered:

Samesite Graphic 2
Viewing this in the browser shows the SameSite attribute is not set. Thus, Chrome will treat this as Lax, except for the 2-minute exception:

Samesite Graphic 3 

Now, there is a change feature which simply changes the name value with what is again entered:

Samesite Graphic 4

This shows that it has been changed:

Samesite Graphic 5

This change feature performs a POST request to “change.php” using the name attribute with the value name. So, creating a simple CSRF Proof of Concept (POC) with the following that automatically submits the form when visited:

Samesite Graphic 6

When visited, this gets issued and the change gets made. At this same time Chrome shows a message advising the 2-minute exception is in place. Thus, this being allowed:

Samesite Graphic 7
Changing the POC slightly, in this case changing the value to “csrf2”:

Samesite Graphic 8

When visiting this csrf.html POC again, after the 2-minute exception, the page now shows “No cookie found”. This means that the cookie wasn’t include in this second CSRF request. Furthermore, Chrome shows a message indicating the cookie was blocked due to not having the SameSite attribute with the value “None”, along with the Secure attribute set. 

Samesite Graphic 9

When using Chrome for now, until later on in February, CSRF will still be allowed. Once default and providing developers don’t set the SameSite attribute explicitly, CSRF’s will have its limitations. However, when the use of the SameSite attribute is used, CSRF’s may still be performed depending on how developers explicitly set the cookies (e.g. Setting a cookie has SameSite=None and Secure when it doesn’t need to be).     

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch