如何使用 document.cookie 创建 secure/httpOnly cookie?
How can I create secure/httpOnly cookies with document.cookie?
如果我创建函数:
function setCookie(name, value)
{
// this works:
// document.cookie=name + "=" + escape(value) + "; path=/;";
// this does not:
// document.cookie=name + "=" + escape(value) + "; path=/; secure; HttpOnly; SameSite=strict";
}
setCookie('my_cookie','some_random_value');
我不是 100% 了解为什么第二个选项不起作用。有人有什么想法吗?
见MDN:
A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.
你不能用 document.cookie 设置它,因为标志的 整个 点是为了防止用 document.cookie 设置(或读取)它.
如果我创建函数:
function setCookie(name, value)
{
// this works:
// document.cookie=name + "=" + escape(value) + "; path=/;";
// this does not:
// document.cookie=name + "=" + escape(value) + "; path=/; secure; HttpOnly; SameSite=strict";
}
setCookie('my_cookie','some_random_value');
我不是 100% 了解为什么第二个选项不起作用。有人有什么想法吗?
见MDN:
A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.
你不能用 document.cookie 设置它,因为标志的 整个 点是为了防止用 document.cookie 设置(或读取)它.