Chrome79+默认执行SameSite-by-default
Chrome 79+默认执行SameSite-by-default,跨域请求默认不携带cookie
之前没太注意,今天有同事反馈说跨域请求跳登录了,查了下没有携带cookie。于是乎,我查了下MDN关于set-cookie
关于设置cookie
一般是通过请求后端接口,后端接口返回set-cookie请求头,浏览器会自动设置对应cookie,浏览器默认是阻止js操作set-cookie的请求头的。
示例:
Set-Cookie: <cookie-name>=<cookie-value>
Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>
Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value>
Set-Cookie: <cookie-name>=<cookie-value>; Secure
Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=None
// Multiple attributes are also possible, for example:
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly
相关参数
Secure Optional ,Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks.
Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client’s hard disk, or from JavaScript if the HttpOnly cookie attribute is not set.
Note: Insecure sites (http:) can’t set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).
secure 参数可选,只有是HTTPS请求的响应才能设置secure属性,可以很好地防止劫持。需要注意的是这个参数并不能保证cookie是安全的,cookie是存在客户端硬盘的,其他软件或者javascript仍然可以读取或者修改。chrome >=52, FireFox >= 52版本浏览器,在http请求中是不能设置secure属性的cookie的
HttpOnly Optional,Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property. Note that a cookie that has been created with HttpOnly will still be sent with JavaScript-initiated requests, e.g. when calling XMLHttpRequest.send() or fetch(). This mitigates attacks against cross-site scripting (XSS).
httponly属性可选,禁止JavaScript访问cookie,比如document.cookie,但是JavaScript发起的ajax或fetch请求还是会默认带上cookie
SameSite=<samesite-value> Optional
Strict: The browser sends the cookie only for same-site requests (that is, requests originating from the same site that set the cookie). If the request originated from a different URL than the current one, no cookies with theSameSite=Strictattribute are sent.Lax: The cookie is withheld on cross-site subrequests, such as calls to load images or frames, but is sent when a user navigates to the URL from an external site, such as by following a link.None: The browser sends the cookie with both cross-site and same-site requests.
Asserts that a cookie must not be sent with cross-origin requests, providing some protection against cross-site request forgery attacks (CSRF).Browsers are migrating to have cookies default to SameSite=Lax. If a cookie is needed to be sent cross-origin, opt out of the SameSite restriction using the None value. The None value requires the Secure attribute.
samesite可选值有strict、lax和none,
- strict表示只有同域请求才会带cookie;
- lax表示跨域的子请求不会带cookie(比如加载图片、iframe中的请求),只有跳转链接用浏览器打开url这种主请求才会带cookie
- none表示不管是否跨域都会带cookie
需要注意跨域请求带cookie需要放置CSRF攻击,浏览器后面逐渐会默认给cookie设置成lax,跨域时候子请求就不会再默认带cookie,除非samesite设置成none,同时新的浏览器要求设置secure属性,才能设置samesite为none
这里就找到了根本原因,肯定是新版本浏览器安全性做了提升,
Chrome的same-site规则
same-site规则原文看这里(https://www.chromium.org/updates/same-site)
Starting in Chrome 80, cookies that do not specify a SameSite attribute will be treated as if they were SameSite=Lax with the additional behavior that they will still be included in POST requests to ease the transition for existing sites. Cookies that still need to be delivered in a cross-site context can explicitly request SameSite=None, and must also be marked Secure and delivered over HTTPS. We will provide policies if you need to configure Chrome Browser to temporarily revert to legacy SameSite behavior.
…
The new SameSite rules will become the default behavior on Stable in Chrome 80, but the changes will be limited to pre-Stable versions of Chrome until then.
…
These policies will be made available starting in Chrome 80. Chrome 79. (See Oct 2, 2019 update.)
摘抄了一部分,可以看到Chrome79+之后,默认就是SameSite:lax了,所以就不支持跨域子请求携带cookie了。
解决方案上面已经给了。当然还有其他的绕开的方案。