为什么iframe请求没有发送Cookie? [英] Why are iframe requests not sending cookies?

问题描述

同级部门已创建一个HTML文件，该文件实际上是少数iframe的支架.每个iframe调用一个报表，该报表托管在Web服务器上，参数略有不同.调用的报告将向未经身份验证的用户显示登录表单，或向已认证的用户显示报告内容.

A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users.

scaffold.html:

scaffold.html:

<html>
   <head>
      <title>I just show the output from a bunch of report calls</title>
   </head>
   <body>
      <iframe src="https://somesite.com/useful_report.html?parameter1=a&parameter2=1" id="iframe1"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=b&parameter2=2" id="iframe2"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=c&parameter2=3" id="iframe3"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=d&parameter2=4" id="iframe4"></iframe>
   </body>
</html>

同胞组织向我们解释说，如果用户登录到 https://somesite.com ，则上述内容设置效果很好-每个iframe都将显示几天后的...有用的内容.

The sibling organization explained to us that if a user was signed on to https://somesite.com, the above setup worked great--each of the iframes would display the useful_report.html content...until a few days ago.

当我

1. 登录到 https://somesite.com ，然后
2. 将文件:///C:/Users/me/Desktop/scaffold.html加载到Chrome中

每个iframe都返回 https://somesite.com 登录表单.然后，如果我在单独的标签中打开utility_report.html，则会加载报告内容(证明somesite.com知道我仍在登录‡).

each of the iframes returns the https://somesite.com sign on form. If I then open useful_report.html in a separate tab, the report content loads (proving somesite.com knows I am still signed on‡).

使用开发人员工具，我可以看到对有用的_report.html的请求标头不包含"Cookie:"属性，因此这解释了为什么有用的_report.html返回表单登录的原因.

Using developer tools, I can see that the request headers to useful_report.html do not include the "Cookie:" attribute, so this explains why useful_report.html returns the sign on form.

我的问题是为什么iframe请求不发送Cookie?什么Chrome和/或服务器设置/策略/指令阻止了它?

My question is why are the iframe requests not sending cookies? What Chrome and/or server setting/policy/directive prevents it?

‡-现在它知道我知道了.

‡ - and now it knows that I know that it knows.

推荐答案

这是因为 SameSite Cookie策略所致， Chrome默认为Lax ，这意味着除非用户看到不包含iframe的网址，否则不会发送cookie.

That's because of SameSite cookie policy that Chrome defaults to Lax, meaning the cookies won't be sent unless the user can see the URL which excludes iframes.

如果您拥有 somesite.com ，则可以通过将SameSite策略设置为无"来退出此策略，并通过

If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by a doing Double Submit Cookie.

这篇关于为什么iframe请求没有发送Cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！