是否可以代表用户在我的网站上禁用第三方cookie? [英] Is it possible to disable third-party cookies while on my site on behalf of users?

问题描述

我有一个网站从另一个网站加载资源.我已经能够确定:

I have a website that loads a resource from another website. I've been able to determine that:

• 第三方网站在用户的浏览器中放置cookie.
• 如果我在浏览器设置中禁用了第三方cookie，则第三方网站将不再能够在浏览器中放置cookie.
• 资源仍然可以正常工作.

我想知道是否可以从网站上提供某种标头或其他指令，这些标头或指令可以对用户产生与禁用第三方Cookie相同的效果，但是并不需要它们随便看看它们的设置.

I'm wondering if there is some kind of header or other directive I can deliver from my website that will have the same effect for my users as if they had disabled third-party cookies, but which doesn't require them to go and monkey around with their settings.

推荐答案

通常，无法阻止您的浏览器在HTTP请求中包含cookie.但是，最近，向浏览器添加了一些获取资源的新方法.

Generally, it has been impossible to prevent your browser from including cookies in your HTTP requests. However, recently, few new ways to fetch resources were added to browsers.

• 使用获取API : fetch 在响应中忽略 Set-Cookie ，除非指定，否则不包括 Cookie .

• Using the Fetch API: fetch ignores Set-Cookie in responses, and does not include Cookie unless specified.

使用ES6(ES2015)模块: < script type ="module" ...> ，不带 crossorigin 属性将不会发送 Cookie .它不适用于非模块脚本，并且必须配置服务器(而不是您的服务器，一个用于服务文件)，以使用有效的CORS标头为文件提供服务.从blah.com/script.js 用 import *导入的脚本也将以相同的方式运行.请点击链接以获取更多信息.

Using ES6 (ES2015) modules: <script type="module" ...> without its crossorigin attribute will not send Cookie. It doesn't work for non-module scripts, and the server (not yours, the one serving the file) must be configured to serve the file with valid CORS headers. Scripts imported with import * from blah.com/script.js will also behave in the same way. Follow the link for more info.

但是，所有这些操作都可以通过使用跨源资源共享(CORS)，并且如果资源服务器配置为禁止没有凭据(cookie和其他标头)的请求，则它们将无法工作.您可能会收到404或其他错误.

But these all work by using Cross-Origin Resource Sharing (CORS), and if the resource server is configured to disallow requests without credentials (cookies, and other headers), they won't work. You will likely get 404 or other errors instead.

如果您担心第三方cookie，通常最好从您自己的服务器或像大多数CDN一样的无cookie的服务器中提供静态信息.

If you are worried about third-party cookies, it's usually better to serve statics from your own server, or cookie-free servers like most CDNs.

Firefox和Safari等浏览器默认情况下禁用第三方cookie，而Chrome是最新的现代浏览器，截至2020年1月，默认情况下仍允许第三方cookie.但是，即使

Browsers such as Firefox and Safari disable third party cookies by default, and Chrome is the last modern browser that still allows third party cookies by default as of Jan 2020. But even Chrome is phasing out of third party cookies.

这篇关于是否可以代表用户在我的网站上禁用第三方cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！