If a cookie (auth cookie in particular) has httpOnly attribute set, does sameSite attribute add any other layer of security?
From my understanding, sameSite is used to prevent CSRF, but httpOnly mitigates that, no?
Only thing I can think of is that the server would drop the sameSite cookie if the attacker got hold of it and sent it to the server from a different domain (not sure what use that would have).
No, HTTPOnly does not mitigate CSRF attacks...You do indeed need SameSite for that.
What HTTPOnly does is to protect your cookies from being extracted and abused by an attacker who has found an XSS vulnerability on your website. SameSite on the other hand, prevents them from being sent along with requests from different sites, which can occur without the attacker ever having access to the cookies. This doesn't eliminate the need for CSRF protection in your application as browser support for the SameSite attribute is currently limited and the RFC is still in draft status, but setting it may be useful as a defense-in-depth measure.
