在哪里添加`SameSite=None`?
Where to add `SameSite=None`?
我的网站上出现了以下代码,我尽力无法理解它,所以我有几个问题,请阅读。
category-search-Forum:1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
我在堆栈和其他在线地方看到很多人谈论这个,但是 none 已经解释了如何添加 SameSite=None。
1 问题:如何或在何处添加 SameSite=None?
并查看错误,什么是 'Secure'
这是否意味着 SameSite=Secure?
SameSite=None和SameSite=Secure有什么区别?
如此处所讨论:https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
这实际上是一个服务器端问题。它只是说,您正在使用来自另一个站点的资源(通常是 JS 或 CSS)并且该服务器正在尝试设置 cookie;但是,它没有设置 SameSite 属性。
这是由于:
Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.
To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.
由于您的 post 没有定义您是在服务器端还是在客户端工作,我的假设是您在客户端工作,因此您无能为力资源需要更新它。但是,如果您正在进行服务器端开发,这里是不同语言的资源列表:https://github.com/GoogleChromeLabs/samesite-examples
TLDR;如果您是客户端开发人员,那是因为 linked 资源没有此设置,您对此无能为力。如果您是服务器端开发人员,请查看 github link 以获取有关如何为您的站点修复此问题的示例。
编辑:如果您只想删除该消息,请在此处讨论解决方案: 您可以通过 chrome://flags Cookie Deprecation messages disabled.
禁用它们
我 运行 在我的 Electron APP / 浏览器端遇到了类似的问题
- fetch 的
credentials: 'omit' 为我解决了警告问题
// Example
await fetch('https://example.com', {credentials: 'omit'});
因为这是Google中的第一篇link,所以写在这里,相信对像我这样的人会有帮助; xoxoxo
我的网站上出现了以下代码,我尽力无法理解它,所以我有几个问题,请阅读。
category-search-Forum:1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
我在堆栈和其他在线地方看到很多人谈论这个,但是 none 已经解释了如何添加 SameSite=None。
1 问题:如何或在何处添加 SameSite=None?
并查看错误,什么是 'Secure'
这是否意味着 SameSite=Secure?
SameSite=None和SameSite=Secure有什么区别?
如此处所讨论:https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
这实际上是一个服务器端问题。它只是说,您正在使用来自另一个站点的资源(通常是 JS 或 CSS)并且该服务器正在尝试设置 cookie;但是,它没有设置 SameSite 属性。
这是由于:
Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.
To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.
由于您的 post 没有定义您是在服务器端还是在客户端工作,我的假设是您在客户端工作,因此您无能为力资源需要更新它。但是,如果您正在进行服务器端开发,这里是不同语言的资源列表:https://github.com/GoogleChromeLabs/samesite-examples
TLDR;如果您是客户端开发人员,那是因为 linked 资源没有此设置,您对此无能为力。如果您是服务器端开发人员,请查看 github link 以获取有关如何为您的站点修复此问题的示例。
编辑:如果您只想删除该消息,请在此处讨论解决方案:chrome://flags Cookie Deprecation messages disabled.
我 运行 在我的 Electron APP / 浏览器端遇到了类似的问题
- fetch 的
credentials: 'omit'为我解决了警告问题
// Example
await fetch('https://example.com', {credentials: 'omit'});
因为这是Google中的第一篇link,所以写在这里,相信对像我这样的人会有帮助; xoxoxo