The use of
In most cases,
document.write() can be replaced by inserting
Google has recently changed the default behavior, such that when on a slow (currently 2G) connection, but discussions have also leaned toward including any slow connection.
As such, right now, the following will occur on slow (2G) connections:
- Chrome 53+ (warning displayed in debugger console)
- Chrome 55+ (blocked – code will not execute, warning message will appear in debugger console)
For users on slow connections, such as 2G, external scripts dynamically injected via document.write() can delay the display of main page content for tens of seconds, or cause pages to either fail to load or take so long that the user just gives up. Based on instrumentation in Chrome, we’ve learned that pages featuring third-party scripts inserted via document.write() are typically twice as slow to load than other pages on 2G.
My advice – remove all use of document.write() for required content in your code now, as your users MAY NOT see that content if you do not.
SameSite=strict” value set to reduce CSRF exposure in section A8.
Consider using the “SameSite=strict” flag on all cookies, which is increasingly supported in browsers.
Similar to the way that
Secure attributes have been added, SameSite allows for additional control.
Per the documentation, as of April 2017 the SameSite attribute is implemented in Chrome 51 and Opera 39. Firefox has an open defect, but I would expect it to be added soon to follow Chrome.
Set-Cookie: CookieName=CookieValue; SameSite=Lax;
Set-Cookie: CookieName=CookieValue; SameSite=Strict;
According to the specification you can issue the SameSite flag without a value and Strict will be assumed:
Set-Cookie: CookieName=CookieValue; SameSite
As many programming languages and server runtime environments do not yet support this for session cookies, you can use the Apache Tier1 configuration to append them.
Header edit Set-Cookie ^(JSESSIONID.*)$ $1;SameSite=Strict
Header edit Set-Cookie ^(PHPSESSID.*)$ $1;SameSite=Strict
It looks like PHP.INI might support the following attribute in a future release, but it’s not there yet!