Why wouldn’t a site’s cookies be sent in this scenario?
I'm reading an article on Okta's engineering blog, which contains the following paragraph:
Some of the disadvantages of cookies include:
Cross-site request forgery attacks (XSRF or CSRF): CSRF attacks are only possible with cookie-based session handling. The
SameSiteattribute allows you to decide whether cookies should be sent to third-party apps using theStrictorLaxsettings. A strict setting can prevent CSRF attacks, but it can also contribute to a poor browser experience for the user. For example, say your site uses a cookie namedtutorials_shownto determine whether a user has already seen specific tutorials in order to show them new ones every time they visit. IfSameSiteis set toStrictand someone follows a link to your site, the cookie will not be sent on that first request, and previously viewed tutorials will be shown. This creates a less personalized user experience.
I get why "previously viewed tutorials will be shown" in this scenario, but I don't get why "the cookie will not be sent on that first request". If I'm on site A, which contains a link to site B (for which I currently have cookies stored in my browser), I'm confused as to why those cookies wouldn't be sent as part of the request when I click the link to site B.
As long as site A can't inspect the request that I make to site B, it doesn't seem like a security risk to send the cookies on every request, including that 1st one. So does this imply that site A does in fact have the ability to inspect that request, including the cookie data?
