SameSite 警告 Chrome 77 [英] SameSite warning Chrome 77

问题描述

自上次更新以来，我遇到了与 SameSite 属性相关的 cookie 错误.

Since the last update, I'm having an error with cookies, related with SameSite attribute.

cookies 来自第三方开发者(Fontawesome、jQuery、Google Analytics、Google reCaptcha、Google Fonts 等)

The cookies are from third party developers (Fontawesome, jQuery, Google Analytics, Google reCaptcha, Google Fonts, etc.)

Chrome 控制台中的错误是这样的.

The errors in the Chrome console are like this.

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

我需要在本地机器或服务器上做些什么，或者只是他们应该在未来版本的库中实现的一些功能?

Is there anything I need to do in my local machine or server or is just some feature they should implement in future releases of their libraries?

推荐答案

此控制台警告不是错误或实际问题 — Chrome 只是宣传这一新标准以提高开发人员的采用率.

This console warning is not an error or an actual problem — Chrome is just spreading the word about this new standard to increase developer adoption.

它与您的代码无关.这是他们的网络服务器必须支持的.

It has nothing to do with your code. It is something their web servers will have to support.

修复的发布日期为 2020 年 2 月 4 日:https://www.chromium.org/updates/same-site

Release date for a fix is February 4, 2020 per: https://www.chromium.org/updates/same-site

2020 年 2 月:Chrome 80 Stable 的强制推出:SameSite-by-default 和 SameSite=None-requires-Secure 行为将开始向 Chrome 80 Stable 推出，适用于最初的有限人群2020 年 2 月 17 日那一周，不包括周一的美国总统日假期.我们将密切监测和评估从最初的有限阶段到逐步增加推广的生态系统影响.

February, 2020: Enforcement rollout for Chrome 80 Stable: The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.

有关完整的 Chrome 发布时间表，请参阅此处.

For the full Chrome release schedule, see here.

我通过添加响应头解决了同样的问题

I solved same problem by adding in response header

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

SameSite 阻止浏览器将 cookie 与跨站点请求一起发送.主要目标是降低跨源信息泄露的风险.它还提供了一些针对跨站点请求伪造攻击的保护.标志的可能值为 Lax 或 Strict.

SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are Lax or Strict.

SameSite cookie 解释 此处

SameSite cookies explained here

在应用任何选项.

希望对你有帮助.

这篇关于SameSite 警告 Chrome 77的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！