I am trying samesite:strict, but it is not working at all,
Server1 (running on http://localhost:5000/):
const express = require('express');
const cookieParser = require('cookie-parser');
var logger = require("morgan");
const app = express();
app.use(cookieParser());
app.use(logger("dev"));
app.get('/', (req, res) => {
res.cookie('mycookie', 'omarhadidi', {
sameSite: 'strict'
});
res.sendFile('./server.html', {root:__dirname})
})
app.post('/delete-user', (req, res) => {
console.log('cookies :>> ', req.cookies);
res.send('I am hacked')
})
app.listen(5000, () => console.log("Server Listening on port 5000"));
Server2 (running by VSCode LiveServer on http://localhost:3000/hack.html):
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<p id="data"></p>
<form action="http://localhost:5000/delete-user" method="post">
<input type="submit" value="Hack">
</form>
<script>
console.log('cookies :>> ', document.cookie);
const form = document.querySelector("form")
// form.submit(); I cancelled Here to try to submit it manually using submit button
</script>
</body>
</html>
The Problem:
When I send a GET request to http://localhost:5000/, mycookie is set, but also it is sent when I send a POST to http://localhost:5000/delete-user from the form in http://localhost:3000/hack.html. And "sent" here means logged by console.log('cookies :>> ', req.cookies); written in Server 1