前端学堂
学有所用

Chrome 79+默认执行SameSite-by-default,跨域请求默认不携带cookie

之前没太注意,今天有同事反馈说跨域请求跳登录了,查了下没有携带cookie。于是乎,我查了下MDN关于set-cookie

关于设置cookie

一般是通过请求后端接口,后端接口返回set-cookie请求头,浏览器会自动设置对应cookie,浏览器默认是阻止js操作set-cookie的请求头的。

示例:

Set-Cookie: = 
Set-Cookie: =; Expires=
Set-Cookie: =; Max-Age=
Set-Cookie: =; Domain=
Set-Cookie: =; Path=
Set-Cookie: =; Secure
Set-Cookie: =; HttpOnly

Set-Cookie: =; SameSite=Strict
Set-Cookie: =; SameSite=Lax
Set-Cookie: =; SameSite=None

// Multiple attributes are also possible, for example:
Set-Cookie: =; Domain=; Secure; HttpOnly

相关参数

Secure Optional ,Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks.

Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the HttpOnly cookie attribute is not set.

Note: Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).

secure 参数可选,只有是HTTPS请求的响应才能设置secure属性,可以很好地防止劫持。需要注意的是这个参数并不能保证cookie是安全的,cookie是存在客户端硬盘的,其他软件或者javascript仍然可以读取或者修改。chrome >=52, FireFox >= 52版本浏览器,在http请求中是不能设置secure属性的cookie的

HttpOnly Optional,Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property. Note that a cookie that has been created with HttpOnly will still be sent with JavaScript-initiated requests, e.g. when calling XMLHttpRequest.send() or fetch(). This mitigates attacks against cross-site scripting (XSS).

httponly属性可选,禁止JavaScript访问cookie,比如document.cookie,但是JavaScript发起的ajax或fetch请求还是会默认带上cookie

SameSite= Optional

  • Strict: The browser sends the cookie only for same-site requests (that is, requests originating from the same site that set the cookie). If the request originated from a different URL than the current one, no cookies with the SameSite=Strict attribute are sent.
  • Lax: The cookie is withheld on cross-site subrequests, such as calls to load images or frames, but is sent when a user navigates to the URL from an external site, such as by following a link.
  • None: The browser sends the cookie with both cross-site and same-site requests.

Asserts that a cookie must not be sent with cross-origin requests, providing some protection against cross-site request forgery attacks (CSRF).Browsers are migrating to have cookies default to SameSite=Lax. If a cookie is needed to be sent cross-origin, opt out of the SameSite restriction using the None value. The None value requires the Secure attribute.

samesite可选值有strict、lax和none,

  • strict表示只有同域请求才会带cookie;
  • lax表示跨域的子请求不会带cookie(比如加载图片、iframe中的请求),只有跳转链接用浏览器打开url这种主请求才会带cookie
  • none表示不管是否跨域都会带cookie

需要注意跨域请求带cookie需要放置CSRF攻击,浏览器后面逐渐会默认给cookie设置成lax,跨域时候子请求就不会再默认带cookie,除非samesite设置成none,同时新的浏览器要求设置secure属性,才能设置samesite为none

这里就找到了根本原因,肯定是新版本浏览器安全性做了提升,

 

Chrome的same-site规则

same-site规则原文看这里(https://www.chromium.org/updates/same-site

Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax with the additional behavior that they will still be included in POST requests to ease the transition for existing sites. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None, and must also be marked Secure and delivered over HTTPS. We will provide policies if you need to configure Chrome Browser to temporarily revert to legacy SameSite behavior.

...

The new SameSite rules will become the default behavior on Stable in Chrome 80, but the changes will be limited to pre-Stable versions of Chrome until then.

...

These policies will be made available starting in Chrome 80. Chrome 79. (See Oct 2, 2019 update.)

摘抄了一部分,可以看到Chrome79+之后,默认就是SameSite:lax了,所以就不支持跨域子请求携带cookie了。

解决方案上面已经给了。当然还有其他的绕开的方案。

赞(0) 打赏

微信扫码成为我的经纪人,不定期福利,一起分享哦!

未经允许不得转载:前端学堂 » Chrome 79+默认执行SameSite-by-default,跨域请求默认不携带cookie

谢谢您的支持,我不吃不喝也要定时更新!

支付宝扫一扫打赏

微信扫一扫打赏