Cookie SameSite
Last Edited Time
Feb 12, 2022 09:58 AM
date
Apr 22, 2021
slug
cookie-samesite
status
Published
tags
Cookie
SameSite
Blog
必读系列
个人笔记
summary
Cookie SameSite 调试记录, 以及相关文章
type
Post
SameSite
Chrome 浏览器 有选择的更新了 Cookie SameSite 策略 SameSite Updates
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F6e1664a6-54f4-4dec-8dd1-868c4c0cf7ea%2F8e4c3904-7cfb-4abb-9ab9-ddb335ae0dd4%2FUntitled.png%3Fid%3Dd69cd829-e916-4c4f-bb7a-914275e6f638%26table%3Dblock%26spaceId%3D6e1664a6-54f4-4dec-8dd1-868c4c0cf7ea%26expirationTimestamp%3D1720224000000%26signature%3DdpdSQONVVCoYKWca4YcOdK_cz6pw1ZUpGuNmN-EKaDk?table=block&id=d69cd829-e916-4c4f-bb7a-914275e6f638&cache=v2)
如果测试连接进去之后都为绿则为最新
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F6e1664a6-54f4-4dec-8dd1-868c4c0cf7ea%2F13db5928-22af-46fe-9928-547749f826e1%2FUntitled.png%3Fid%3Dca8b8f08-b77d-4e64-a0f1-923dbe859b09%26table%3Dblock%26spaceId%3D6e1664a6-54f4-4dec-8dd1-868c4c0cf7ea%26expirationTimestamp%3D1720224000000%26signature%3DnF7Hj90Z2scIqr-9vwMxi5ITSUeESlvmXHcyPjsWpPg?table=block&id=ca8b8f08-b77d-4e64-a0f1-923dbe859b09&cache=v2)
微信浏览器的情况:
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F6e1664a6-54f4-4dec-8dd1-868c4c0cf7ea%2Ffd12f9c7-ae62-4723-b28a-6d6f1dd9eb01%2FUntitled.png%3Fid%3Dc43707f3-3f2f-495b-86eb-8fdf48adc19f%26table%3Dblock%26spaceId%3D6e1664a6-54f4-4dec-8dd1-868c4c0cf7ea%26expirationTimestamp%3D1720224000000%26signature%3DZHCnXpvgUQp8U_PZw93zn3n_X9bnPo97ByI4t4r9Whs?table=block&id=c43707f3-3f2f-495b-86eb-8fdf48adc19f&cache=v2)
推荐解决方案
- 可以修改 nginx 配置统一解决
/etc/nginx/proxy_params
# fix Chrome cookie SameSite=Lax bug
# Reference: https://www.chromium.org/updates/same-site/test-debug
proxy_cookie_path / "/; Secure; SameSite=None";
- 需要在微信浏览器上访问的项目不建议加上这个配置, 微信浏览器内核不支持 SameSite=None; Secure;
- 去这个网站 https://samesite-sandbox.glitch.me/ 测试 SameSite 策略, 全绿则为最新
- 由于有些网页是 http 而不是 https, 所以有切换谷歌浏览器策略的需要: 相关链接
- Chrome 91 以下去 chrome://flags 页面来 Enable 或 Disable #same-site-by-default-cookies 和 #cookies-without-same-site-must-be-secure 策略, 见 SameSite Updates
- Chrome 91 ~ 94 把配置选项给关了, 可以用 命令行的方式来配置
- 或者直接使用老版本的 Chrome 90 https://google-chrome.en.uptodown.com/mac/versions
烧鸡同学阅读记录
已读
题目
一句话评论
Tags
URL
创建时间
Chrome 本地调试 SameSite 解决方案插件
SameSite
Dec 31, 2022 01:59 AM
- 讲解了什么是同站
- top-level domain vs effective top-level domain
- aka "eTLD+1"
SameSite
必读
Dec 3, 2021 02:14 AM
- 同栈详细讲解的例子
SameSite
必读
Dec 3, 2021 02:14 AM
- 谷歌浏览器的 SameSite 配置有一个例外, 利用这个特性可以进行 Csrf 攻击
Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago. Such cookies will also be sent with non-idempotent (e.g. POST) top-level cross-site requests despite normal SameSite=Lax cookies requiring top-level cross-site requests to have a safe (e.g. GET) HTTP method
SameSite
必读
Tutorial
Nov 30, 2021 07:00 AM