246

自上次更新以来,我遇到了与 SameSite 属性相关的 cookie 错误。

cookie 来自第三方开发者(Fontawesome、jQuery、Google Analytics、Google reCaptcha、Google Fonts 等)

Chrome 控制台中的错误是这样的。

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

我需要在本地机器或服务器上做些什么,或者只是他们应该在未来版本的库中实现的一些功能?

4

6 回答 6

184

这个控制台警告不是错误或实际问题——Chrome 只是在宣传这个新标准以提高开发人员的采用率。

它与您的代码无关。这是他们的网络服务器必须支持的东西。

修复程序的发布日期为 2020 年 2 月 4 日: https ://www.chromium.org/updates/same-site

2020 年 2 月: Chrome 80 Stable 的强制推出:SameSite-by-default 和 SameSite=None-requires-Secure 行为将从2020 年 2 月 17 日那一周开始针对初始有限的人群推出到 Chrome 80 Stable ,不包括周一是美国总统日假期。我们将通过逐渐增加的推广从最初的有限阶段密切监测和评估生态系统的影响。

有关完整的 Chrome 发布时间表,请参见此处

我通过添加响应标头解决了同样的问题

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

SameSite防止浏览器将 cookie 与跨站点请求一起发送。主要目标是降低跨域信息泄露的风险。它还提供了一些针对跨站点请求伪造攻击的保护。该标志的可能值为 Lax 或 Strict。

SameSite cookie在这里解释

请在应用任何选项之前参考此内容。

希望这对您有所帮助。

于 2019-10-10T10:13:50.693 回答
45

更新 - 2021 年 6 月

#same-site-by-default 的 chrome 标志已作为 Chrome 91 从 Chrome 实验面板中删除。

在 Chrome 94 之前,该标志仍​​可通过启动选项使用。

对于 macos,使用标志启动的终端命令是:

// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies

// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies

更多信息:

2021 年 3 月 18 日:从 Chrome 91 开始,标记 #same-site-by-default-cookies 和 #cookies-without-same-site-must-be-secure 已从 chrome://flags 中删除,因为行为是现在默认启用。在 Chrome 94 中,命令行标志 --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure 将被删除。来源:Chromium SameSite 更新页面


原始答案 - 2020 年 3 月

如果您在 localhost 上进行测试并且无法控制响应标头,则可以使用 chrome 标志禁用它。

访问 url 并禁用它:chrome://flags/#same-site-by-default-cookies SameSite 默认 cookie 截图

我需要禁用它,因为 Chrome Canary 从大约 V 82.0.4078.2 开始执行此规则,现在它没有设置这些 cookie。

注意:我只在用于开发的 Chrome Canary 中打开此标志。出于与谷歌引入它相同的原因,最好不要为日常 Chrome 浏览打开标志。

于 2020-03-08T23:11:36.950 回答
14

通过向脚本标签添加跨域来修复。

来自:https ://code.jquery.com/

<script
  src="https://code.jquery.com/jquery-3.4.1.min.js"
  integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
  crossorigin="anonymous"></script>

完整性和跨域属性用于子资源完整性 (SRI) 检查。这允许浏览器确保托管在第三方服务器上的资源没有被篡改。每当从第三方源加载库时,建议使用 SRI 作为最佳实践。在 srihash.org 上阅读更多信息

于 2020-04-04T09:06:53.070 回答
9

为了详细说明 Rahul Mahadik 的回答,这适用于 MVC5 C#.NET:

AllowSameSiteAttribute.cs

public class AllowSameSiteAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var response = filterContext.RequestContext.HttpContext.Response;

        if(response != null)
        {
            response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
            //Add more headers...
        }

        base.OnActionExecuting(filterContext);
    }
}

家庭控制器.cs

    [AllowSameSite] //For the whole controller
    public class UserController : Controller
    {
    }

或者

    public class UserController : Controller
    {
        [AllowSameSite] //For the method
        public ActionResult Index()
        {
            return View();
        }
    }
于 2020-01-14T17:24:13.630 回答
1

我不得不在chrome://flags

在此处输入图像描述

于 2020-06-11T23:59:37.070 回答
1

当谈到 Google Analytics 时,我发现 raik 在Secure Google tracking cookies上的回答非常有用。它将安全和相同站点设置为一个值。

ga('create', 'UA-XXXXX-Y', {
    cookieFlags: 'max-age=7200;secure;samesite=none'
});

博客文章中还有更多信息

于 2021-02-16T12:41:18.380 回答