chrome即使使用samesite = None也阻止了Cookie [英] chrome blocking the cookies even with samesite=None

问题描述

我在heroku中托管了一个flask应用程序，它作为iframe嵌入到我的网站之一.假设 a.com 将此< heroku_url> .com 呈现为iframe.当用户访问 a.com 时，将呈现< heroku_url> .com 并创建会话.

I have a flask application hosted in heroku embedded as an iframe to one of my website. Let's say a.com renders this <heroku_url>.com as an iframe. When user visits a.com, <heroku_url>.com is rendered and session is created.

from flask import session, make_response

@app.route("/")
def index():
    session['foo'] = 'bar'
    response = make_response("setting cookie")
    response.headers.add('Set-Cookie', 'cross-site-cookie=bar; SameSite=None; Secure')
    return response

在Chrome开发者工具中，我看到Cookie被阻止了.虽然在Firefox中工作正常.我是否正确设置了cookie?我了解这是由于chrome80更新造成的，但不确定解决方法

In Chrome dev tools, I see the cookie getting blocked. Works fine in firefox though. Am I setting the cookie properly? I understand this is due to chrome80 update, but not sure about the workaround

推荐答案

在会话cookie中将 samesite 属性设置为 None 似乎已经解决了问题.

Setting samesite attribute in the session cookie to None seems to have solved the problem.

必须更新 werkzeug (烧瓶包装的WSGI Web应用程序库)并更新会话cookie.即

Had to update werkzeug (WSGI web application library which is wrapped by flask) and update the session cookie. i.e

app.config['SESSION_COOKIE_SAMESITE'] = 'None'
app.config['SESSION_COOKIE_SECURE'] = True

但是，这也取决于用户在"chrome://settings/cookies"中的偏好.

However, this also depends on the user's preference in 'chrome://settings/cookies'.

即使选择了以下选项之一，即使 samesite 设置为无"，Chrome也会阻止会话Cookie

Chrome will block the session cookies even if samesite is set to None if one of the below options is selected

• 阻止第三方Cookie
• 阻止所有cookie
• 以隐身模式阻止第三方Cookie(以隐身模式阻止).

这篇关于chrome即使使用samesite = None也阻止了Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！