Bypassing SameSite=Strict in Chrome via DevTools

Researchers Mian and bug_blitzer discovered a Chrome bug where opening DevTools could turn a cross-site POST request into an authenticated CSRF. Under normal conditions, SameSite=Strict prevents cookies from being included in cross-site requests. However, if the target site had a registered Service Worker, Chrome could resend the request with session cookies attached.

The attack works as follows: an attacker-controlled page sends a cross-site POST request to the target application. As expected, the browser initially omits cookies. When the victim later opens DevTools, the component responsible for loading the response body issues an internal follow-up request to retrieve the content — this time including the victim's session cookies.

The root cause lies in the request mode used by DevTools. Chrome combined kNoCors with kOnlyIfCached, even though only-if-cached is intended to work only in same-origin contexts. This allowed the target site's Service Worker to intercept the internal DevTools request and execute fetch(event.request) within the origin of the victim application.

📎 Source: https://lab.ctbb.show/writeups/breaking-samesite-strict-in-chrome

💬 Discuss