SameSite 警告 Chrome 77
SameSite warning Chrome 77
自上次更新以来,我遇到了与 SameSite 属性相关的 cookie 错误。
cookie 来自第三方开发者(Fontawesome、jQuery、Google Analytics、Google reCaptcha、Google Fonts 等)
Chrome控制台报错是这样的
A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
我需要在我的本地机器或服务器上做些什么吗?或者只是他们应该在他们的库的未来版本中实现的一些功能?
此控制台警告不是错误或实际问题 — Chrome 只是宣传此新标准以提高开发人员的采用率。
与你的代码无关。这是他们的网络服务器必须支持的东西。
修复的发布日期为 2020 年 2 月 4 日,具体如下:
https://www.chromium.org/updates/same-site
2020 年 2 月: Chrome 80 稳定版的强制实施:SameSite-by-default 和 SameSite=None-requires-Secure 行为将开始推广到Chrome 从 2020 年 2 月 17 日 开始的一周开始,初始有限人口稳定 80,不包括星期一的美国总统日假期。从最初的有限阶段开始,我们将通过逐步增加部署来密切监测和评估生态系统的影响。
对于完整的 Chrome 发布时间表,see here。
我通过在响应中添加 header
解决了同样的问题
response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
SameSite 阻止浏览器发送 cookie 以及 cross-site 请求。主要目标是降低 cross-origin 信息泄露的风险。它还提供了一些针对 cross-site 请求伪造攻击的保护。标志的可能值为 Lax 或 Strict。
SameSite cookies 解释 here
在应用任何选项之前请参阅 this。
希望对您有所帮助。
为了详细说明 Rahul Mahadik 的回答,这适用于 MVC5 C#.NET:
AllowSameSiteAttribute.cs
public class AllowSameSiteAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if(response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
//Add more headers...
}
base.OnActionExecuting(filterContext);
}
}
HomeController.cs
[AllowSameSite] //For the whole controller
public class UserController : Controller
{
}
或
public class UserController : Controller
{
[AllowSameSite] //For the method
public ActionResult Index()
{
return View();
}
}
更新 - 2021 年 6 月
#same-site-by-default 的 chrome 标志已从 Chrome 实验面板中删除为 Chrome 91。
该标志在 Chrome 94 之前仍可通过启动选项使用。
对于 macos,使用标志启动的终端命令是:
// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies
// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies
更多信息:
Mar 18, 2021: The flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure have been removed from chrome://flags as of Chrome 91, as the behavior is now enabled by default. In Chrome 94, the command-line flag --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure will be removed.
Source: Chromium SameSite Updates page.
原始答案 - 2020 年 3 月
如果您在本地主机上进行测试并且您无法控制响应 headers,您可以使用 chrome 标志禁用它。
访问 url 并禁用它:chrome://flags/#same-site-by-default-cookies
我需要禁用它,因为 Chrome Canary 大约从 V 82.0.4078.2 开始强制执行此规则,现在它不设置这些 cookie。
注意:我只在用于开发的 Chrome Canary 中打开此标志。出于与 google 引入它相同的原因,最好不要在每天 Chrome 浏览时打开标记。
已通过将 crossorigin 添加到脚本标签来修复。
<script
src="https://code.jquery.com/jquery-3.4.1.min.js"
integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
crossorigin="anonymous"></script>
The integrity and crossorigin attributes are used for Subresource
Integrity (SRI) checking. This allows browsers to ensure that
resources hosted on third-party servers have not been tampered with.
Use of SRI is recommended as a best-practice, whenever libraries are
loaded from a third-party source. Read more at srihash.org
我不得不在 chrome://flags
中禁用它
谈到 Google 分析时,我发现 raik 在 Secure Google tracking cookies 的回答非常有用。它将 secure 和 samesite 设置为一个值。
ga('create', 'UA-XXXXX-Y', {
cookieFlags: 'max-age=7200;secure;samesite=none'
});
这里还有更多信息 blog post
自上次更新以来,我遇到了与 SameSite 属性相关的 cookie 错误。
cookie 来自第三方开发者(Fontawesome、jQuery、Google Analytics、Google reCaptcha、Google Fonts 等)
Chrome控制台报错是这样的
A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
我需要在我的本地机器或服务器上做些什么吗?或者只是他们应该在他们的库的未来版本中实现的一些功能?
此控制台警告不是错误或实际问题 — Chrome 只是宣传此新标准以提高开发人员的采用率。
与你的代码无关。这是他们的网络服务器必须支持的东西。
修复的发布日期为 2020 年 2 月 4 日,具体如下: https://www.chromium.org/updates/same-site
2020 年 2 月: Chrome 80 稳定版的强制实施:SameSite-by-default 和 SameSite=None-requires-Secure 行为将开始推广到Chrome 从 2020 年 2 月 17 日 开始的一周开始,初始有限人口稳定 80,不包括星期一的美国总统日假期。从最初的有限阶段开始,我们将通过逐步增加部署来密切监测和评估生态系统的影响。
对于完整的 Chrome 发布时间表,see here。
我通过在响应中添加 header
解决了同样的问题response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
SameSite 阻止浏览器发送 cookie 以及 cross-site 请求。主要目标是降低 cross-origin 信息泄露的风险。它还提供了一些针对 cross-site 请求伪造攻击的保护。标志的可能值为 Lax 或 Strict。
SameSite cookies 解释 here
在应用任何选项之前请参阅 this。
希望对您有所帮助。
为了详细说明 Rahul Mahadik 的回答,这适用于 MVC5 C#.NET:
AllowSameSiteAttribute.cs
public class AllowSameSiteAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if(response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
//Add more headers...
}
base.OnActionExecuting(filterContext);
}
}
HomeController.cs
[AllowSameSite] //For the whole controller
public class UserController : Controller
{
}
或
public class UserController : Controller
{
[AllowSameSite] //For the method
public ActionResult Index()
{
return View();
}
}
更新 - 2021 年 6 月
#same-site-by-default 的 chrome 标志已从 Chrome 实验面板中删除为 Chrome 91。
该标志在 Chrome 94 之前仍可通过启动选项使用。
对于 macos,使用标志启动的终端命令是:
// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies
// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies
更多信息:
Mar 18, 2021: The flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure have been removed from chrome://flags as of Chrome 91, as the behavior is now enabled by default. In Chrome 94, the command-line flag --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure will be removed. Source: Chromium SameSite Updates page.
原始答案 - 2020 年 3 月
如果您在本地主机上进行测试并且您无法控制响应 headers,您可以使用 chrome 标志禁用它。
访问 url 并禁用它:chrome://flags/#same-site-by-default-cookies
我需要禁用它,因为 Chrome Canary 大约从 V 82.0.4078.2 开始强制执行此规则,现在它不设置这些 cookie。
注意:我只在用于开发的 Chrome Canary 中打开此标志。出于与 google 引入它相同的原因,最好不要在每天 Chrome 浏览时打开标记。
已通过将 crossorigin 添加到脚本标签来修复。
<script
src="https://code.jquery.com/jquery-3.4.1.min.js"
integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
crossorigin="anonymous"></script>
The integrity and crossorigin attributes are used for Subresource Integrity (SRI) checking. This allows browsers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source. Read more at srihash.org
我不得不在 chrome://flags
谈到 Google 分析时,我发现 raik 在 Secure Google tracking cookies 的回答非常有用。它将 secure 和 samesite 设置为一个值。
ga('create', 'UA-XXXXX-Y', {
cookieFlags: 'max-age=7200;secure;samesite=none'
});
这里还有更多信息 blog post