获取不发送 Cookie
Fetch Not Sending Cookies
当我在我的浏览器(已尝试 chrome、firefox 和 edge)的控制台(开发者工具)中使用以下 js 片段时,我在获取发送 cookie 时遇到问题:
fetch('http://127.0.0.1:3010/check', {
credentials: 'include'
method: 'GET'
})
.then(res=>res.json())
.then(jsonobj=>{console.log(jsonbj)});
这是我处理 api 请求的快速代码:
var express = require('express');
var path = require('path');
var cookieParser = require('cookie-parser');
var cors = require('cors');
var app = express();
app.use(cors({
credentials: true,
origin: 'https://www.youtube.com'
));
app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(cookieParser());
app.get('/check', (req, res)=>{
console.log(JSON.stringify(req.cookies));
res.json({
message: "COOL"
});
});
提取调用成功,消息 COOL 被记录到浏览器控制台。但是,NodeJS 控制台打印空对象 {} 或空 cookie。
例如,当我在 http://youtube.com/ 的控制台中 运行 获取请求时,我希望浏览器将我本地主机上的 cookie 发送到我的快递服务器(我这样做是为了模拟在跨站点请求中发送 cookie)。
编辑 1:我本地主机上的一些 cookie 也没有设置 SameSite,mdn 文档说这些 cookie 也可以在跨站点请求中发送到服务器:
The default behavior if the flag is not set, or not supported by the
browser, is to include the cookies in any request, including
cross-origin requests.
mdn 文档中的片段有误,或者浏览器对 SameSite 的实现不一致。我很困惑。
编辑 2:此页面 https://textslashplain.com/2019/09/30/same-site-cookies-by-default/ 也说
In Chrome 80 and later, cookies will default to SameSite=Lax. This
means that cookies will automatically be sent only in a first party
context unless they opt-out by explicitly setting a directive of None:
关于 SameSite 的默认值,mdn 文档真的不正确吗?
编辑 3:我已提议对 mdn 文档进行编辑并已被接受。
在使用此答案之前,请先查看对问题的修改。现在,如果 cookie 未设置 SameSite 属性,我们将无法再通过跨站点请求发送 cookie,因为浏览器已将 SameSite 的默认值更改为 lax。以下是 chrome 补丁说明的快照(针对稳定版本 80,尽管 Beta 测试将适用于版本 79 beta,因为 google 认为此更改将具有破坏性,并可能导致某些 Web 应用程序行为不正确,因此也会显示警告)在 https://support.google.com/chrome/a/answer/7679408#76:
Cookies with SameSite by default, and Secure SameSite=None cookies in
Chrome 80 Starting in Chrome 80, cookies that do not specify a
SameSite attribute will be treated as if they were SameSite=Lax.
Cookies that still need to be delivered in a cross-site context can
explicitly request SameSite=None. They must also be marked Secure and
delivered over HTTPS. Policies will be made available for enterprises
that need to configure Chrome to temporarily revert to legacy SameSite
behavior.
目前 Firefox 和 Edge 也显示类似的行为。要在跨源请求中发送 cookie,我们必须将 SameSite 属性显式设置为 None as:
Set-Cookie: key=value; SameSite=None; Secure
另外,请注意 Secure 是强制性的,否则它将被视为 Lax cookie。仅当您真正确定自己在做什么并准确处理跨站点请求伪造时才使用 None 选项!
我已提议对 Http Cookie (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) 的 mdn 文档进行更改,并且更改已发布。现在 mdn 文档说:
Previously, the default behavior if the SameSite attribute is not set,
or not supported by the browser, was to include the cookies in any
request — including cross-origin requests.
However, new versions of browsers default to SameSite=Lax. In other
words, cookies with no SameSite attribute set are now handled as if
the value of the SameSite attribute is set to Lax — which means that
cookies will automatically be sent only in a first party context. To
specify that cookies are to be sent in both same-site and cross-origin
requests, the value must be explicitly set to None.
当我在我的浏览器(已尝试 chrome、firefox 和 edge)的控制台(开发者工具)中使用以下 js 片段时,我在获取发送 cookie 时遇到问题:
fetch('http://127.0.0.1:3010/check', {
credentials: 'include'
method: 'GET'
})
.then(res=>res.json())
.then(jsonobj=>{console.log(jsonbj)});
这是我处理 api 请求的快速代码:
var express = require('express');
var path = require('path');
var cookieParser = require('cookie-parser');
var cors = require('cors');
var app = express();
app.use(cors({
credentials: true,
origin: 'https://www.youtube.com'
));
app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(cookieParser());
app.get('/check', (req, res)=>{
console.log(JSON.stringify(req.cookies));
res.json({
message: "COOL"
});
});
提取调用成功,消息 COOL 被记录到浏览器控制台。但是,NodeJS 控制台打印空对象 {} 或空 cookie。
例如,当我在 http://youtube.com/ 的控制台中 运行 获取请求时,我希望浏览器将我本地主机上的 cookie 发送到我的快递服务器(我这样做是为了模拟在跨站点请求中发送 cookie)。
编辑 1:我本地主机上的一些 cookie 也没有设置 SameSite,mdn 文档说这些 cookie 也可以在跨站点请求中发送到服务器:
The default behavior if the flag is not set, or not supported by the browser, is to include the cookies in any request, including cross-origin requests.
mdn 文档中的片段有误,或者浏览器对 SameSite 的实现不一致。我很困惑。
编辑 2:此页面 https://textslashplain.com/2019/09/30/same-site-cookies-by-default/ 也说
In Chrome 80 and later, cookies will default to SameSite=Lax. This means that cookies will automatically be sent only in a first party context unless they opt-out by explicitly setting a directive of None:
关于 SameSite 的默认值,mdn 文档真的不正确吗?
编辑 3:我已提议对 mdn 文档进行编辑并已被接受。
在使用此答案之前,请先查看对问题的修改。现在,如果 cookie 未设置 SameSite 属性,我们将无法再通过跨站点请求发送 cookie,因为浏览器已将 SameSite 的默认值更改为 lax。以下是 chrome 补丁说明的快照(针对稳定版本 80,尽管 Beta 测试将适用于版本 79 beta,因为 google 认为此更改将具有破坏性,并可能导致某些 Web 应用程序行为不正确,因此也会显示警告)在 https://support.google.com/chrome/a/answer/7679408#76:
Cookies with SameSite by default, and Secure SameSite=None cookies in Chrome 80 Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None. They must also be marked Secure and delivered over HTTPS. Policies will be made available for enterprises that need to configure Chrome to temporarily revert to legacy SameSite behavior.
目前 Firefox 和 Edge 也显示类似的行为。要在跨源请求中发送 cookie,我们必须将 SameSite 属性显式设置为 None as:
Set-Cookie: key=value; SameSite=None; Secure
另外,请注意 Secure 是强制性的,否则它将被视为 Lax cookie。仅当您真正确定自己在做什么并准确处理跨站点请求伪造时才使用 None 选项!
我已提议对 Http Cookie (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) 的 mdn 文档进行更改,并且更改已发布。现在 mdn 文档说:
Previously, the default behavior if the SameSite attribute is not set, or not supported by the browser, was to include the cookies in any request — including cross-origin requests.
However, new versions of browsers default to SameSite=Lax. In other words, cookies with no SameSite attribute set are now handled as if the value of the SameSite attribute is set to Lax — which means that cookies will automatically be sent only in a first party context. To specify that cookies are to be sent in both same-site and cross-origin requests, the value must be explicitly set to None.