此 Set-Cookie 未指定“SameSite"；属性并默认为“SameSite=Lax"- 本地主机 [英] This Set-Cookie didn't specify a "SameSite" attribute and was default to "SameSite=Lax" - Localhost

问题描述

我是一名前端开发人员，正在开发一个应用程序，其中 login/ 响应在客户端上放置了一个 Session-Cookie.由于用户登录"，稍后的请求将被授权.

I'm a front-end developer working on an application where the login/ response put a Session-Cookie on the client. The later request will be authorized since the user "logged in".

所有没有 SameSite 属性的 cookie 都将被视为指定了 SameSite=Lax.换句话说，它们将仅限于第一方(同一域中的服务器和客户端).如果您需要第三方 cookie(不同域上的服务器和客户端)，则必须将它们标记为 SameSite=None.

All cookies without a SameSite attribute will be treated as if they had SameSite=Lax specified. In other words, they will be restricted to first-party only (server and client on the same domain). If you need third-party cookies (server and client on different domains), then they must be marked with SameSite=None.

默认限制为第一方

Set-Cookie: cname=cvalue; SameSite=Lax

允许在第三方上下文中

Set-Cookie: cname=cvalue; SameSite=None; Secure

对于我的应用程序，我想要默认行为.我的客户端和服务器在 生产 的同一域中运行.但是在开发中，我正在使用 localhost(不同的域).
到目前为止，chrome 在 chrome://flags - SameSite by default cookies 下有特殊标志.我可以在我的开发机器上启用这个标志并且登录通过了.在生产中，我不需要这个标志，因为我想要默认行为.

For my application, I want the default behavior. My client and server running on the same domain in production. But in development I'm working from localhost (different domain).
Up until now, chrome had special flag under chrome://flags - SameSite by default cookies. I could Enable this flag on my development machine and the login passed. And in production, I didn't need this flag because I wanted the default behavior.

SameSite 默认 cookie 标记已删除.这意味着从这个版本开始，我无法登录我的应用，除非将其部署到生产环境中.

The SameSite by default cookies flag was removed. This means that from this version I can't login into my app, without deploying it to production.

有人知道如何在本地主机上工作时获取 Session-Cookie.但仍保持 SameSite=Lax 的安全性.如果可能，只更改客户端，但如果需要，也更改服务器.

Does anybody knows how can I get the Session-Cookie while working from localhost. But still keeping the security of SameSite=Lax. If possible with client only changes, but if needed also with server changes.

Chrome DevTools - SameSite 错误消息

Chrome 80 标志菜单 - 这些标志在 Chrome 91 中被移除

推荐答案

解决方法:降级 Chrome

这不是解决方案！对于像我这样的人来说，这只是一个临时解决方法，他的工作是如何因这次更新而停止的.

Workaround: Downgrade Chrome

This is not a solution! just a temporary workaround for anybody like me how got his work halted due to this update.

• 卸载 Chrome转到添加或删除程序"并卸载 Chrome.请注意，Cookie 和保存的浏览器密码等用户数据可能会丢失.
• 从 slimjet 下载 Chrome v90.com，或来自任何其他网站.然后安装 Chrome.
• 防止自动更新 Chrome，根据此StackOverflow 解决方案:
  打开 C:\Program Files (x86)\Google\Update
  将文件 GoogleUpdate.exe 重命名为 GoogleUpdate2.exe.
  这将导致 Chrome 找不到更新包.
• 更新标志 - 打开 Chrome 并输入:chrome://flags
  搜索 #same-site-by-default-cookies 并禁用标记

• Uninstall Chrome Go to "Add or remove programs" and uninstall Chrome. Notice that user data like cookies and saved browser passwords may be lost.
• Download Chrome v90 from slimjet.com, or from any other site. Then install Chrome.
• Prevent auto-update Chrome, according to this StackOverflow solution:
  open C:\Program Files (x86)\Google\Update
  rename the file GoogleUpdate.exe to GoogleUpdate2.exe.
  This will cause Chrome to not find the update package.
• Update Flags - Open Chrome and type: chrome://flags
  Search #same-site-by-default-cookies and Disable the flag

这篇关于此 Set-Cookie 未指定“SameSite"；属性并默认为“SameSite=Lax"- 本地主机的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！