HTTP请求标头属性路径，域与SameSite

Question

If in http response header the "set-cookie" properties "path" and "domain" are set for a site say a.com as path=/, domain=a.com

The role of path and domain states- path: url path that must exist in request resource domain: restrict host to which cookies will be sent

not what is the role of setting "SameSite" property? as it's use case states cookie not to be sent along with cross-site requests. as the cookie scope is already restraint to same domain by path and domain attributes.

will SameSite: Lax ovewrites the restriction imposed by path/domain

Answer 1

What is the role of setting "SameSite" property?

There are 2 concept here: the requested resource and where that request is originated. For example, you are visiting a.com, and sends an HTTP request to b.com (through Ajax or image loading or hyperlink etc.) In this scenario, the requested resource is data in b.com, while the request is originated from a.com

domain and path is used to restrict which requested resource the cookie can be applied, while SameSite is used to restrict where that request should be originated.

For example, if domain is c.com , it won't be applied in request sent to b.com, no matter whether that request is sent from b.com website or not. Meanwhile, if SameSite is Strict , as long as you are not in b.com website, the HTTP request to b.com won't bring that cookie, even if that "SameSite-Strict" cookie's domain is b.com and path is / .

Will SameSite: Lax ovewrites the restriction imposed by path/domain?

No. SameSite and domain/path are 2 different thing.