上面的答案是不正确的......让我澄清一些困惑。
1. 就 SameSite 而言,2 个站点何时是“同一站点”?
无论 cookie 的域属性如何,当两个站点的 eTLD+1(又名可注册域)相同时,它们都被视为相同。有关更详细的说明,请参阅我的答案。
因此,在这种情况下,假设 eTLD 是“.com”,我们会认为 auth.mysite.com 和 main.mysite.com 是同一个站点,因为 eTLD+1 对它们来说都是 mysite.com。另一方面,anything.mysite.com 和 othersite.com 始终是跨站点的。无论是顶级导航还是子资源请求(如 iframe 中的图像或文档),都是如此。
2、Domain属性是什么意思?
If a cookie is set with Set-Cookie: cookiename=cookievalue; Domain=mysite.com
, then the cookie will be sent on requests to any domain matching *.mysite.com (i.e. all subdomains).
This is a way to adjust the scope of a cookie. For example, you could use Domain=mysite.com
for a global cookie that all of your domains care about, and Domain=corp.mysite.com
for a cookie that all of your company's internal domains care about (but not your external-facing domains, for example).
The default (for cookies that don't explicitly set a Domain attribute) is that cookies are sent only to the domain that set the cookie. (No subdomains.)
You cannot set a Domain attribute that does not match the URL of the request.
(Also, there is no such thing as an "origin" attribute of a cookie.)
3. So what does Domain have to do with SameSite?
Nothing. They are independent cookie attributes. Domain doesn't care about the same-site/cross-site context, and SameSite doesn't care about domain/subdomain scope of the cookie.
4. When mysite.com is embedded in an iframe on othersite.com, why are default-Lax cookies not sent?
This is considered a cross-site context, because the site in the user's URL bar is othersite.com whereas the request is made to mysite.com, and these have two different eTLD+1's.
Because it's in an iframe, this is not a top-level navigation, so all cross-site requests will exclude SameSite cookies.
如果它是顶级导航(用户单击将他们从 othersite.com 带到 mysite.com 的链接),那么请求方法很重要。在绝大多数情况下,这将是一个 GET 请求,因此将发送 Lax 模式的 cookie。
希望这可以帮助!您可以参考最新版本的规范了解更多详细信息。