What's wrong with samesite not working?

problem description

want to prevent csrf attacks through samesite, but write a demo,cookie and always don"t get it.

the environmental background of the problems and what methods you have tried

I started two websites with ports 3001 and 3002pj3001 to set up the cookie,3002 request 3001 service. The cookie of
3001 sets samesite to strict, but the request made by 3002 still gets the cookie.

related codes

Development language nodejs, Framework express,chrome browser

/ / 3001 Code

app.get("/main", (req, res) => {
  res.cookie("name", "wenmu", { sameSite: "strict" });
  res.set({ "Content-Type": "text/html" });
  res.sendFile("main.html", { root: __dirname });
});

app.get("/setVal", (req, res) => {
  console.log(req.headers.cookie);
  console.log(req.headers.referer);
  res.send([req.headers.referer, req.headers.cookie]);
});

app.listen(3001, () => {
  console.log("app start on port 3001");
});

/ / 3002 Code

<a href="http://localhost:3001/setVal"></a>

expected results

if you click on the request issued by "100 Yuan Award", the server should not carry cookie after receiving the request.


samesite does not follow the same origin policy, but Public Suffix List
, so different port numbers and different subdomains are considered to be the same site

.
MySQL Query : SELECT * FROM `codeshelper`.`v9_news` WHERE status=99 AND catid='6' ORDER BY rand() LIMIT 5
MySQL Error : Disk full (/tmp/#sql-temptable-64f5-1bd519d-2fc97.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
MySQL Errno : 1021
Message : Disk full (/tmp/#sql-temptable-64f5-1bd519d-2fc97.MAI); waiting for someone to free some space... (errno: 28 "No space left on device")
Need Help?