php 如何修复“将 SameSite cookie 设置为无”警告?Chrome 扩展程序
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/58191969/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to fix "set SameSite cookie to none" warning? Chrome Extension
提问by Danilo Ivanovic
I created a chrome extension and from popup.js I called PHP script (Using Xhttprequest) that reads the cookie. Like this:
我创建了一个 chrome 扩展,并从 popup.js 调用读取 cookie 的 PHP 脚本(使用 Xhttprequest)。像这样:
$cookie_name = "mycookie";
if(isset($_COOKIE[$cookie_name]))
{
echo $_COOKIE[$cookie_name];
}
else{
echo "nocookie";
}
But I'm getting this warning at errors in extensions.
但是我在扩展错误时收到此警告。
A cookie associated with a cross-site resource at (Here is my domain) was set without the
SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592and https://www.chromestatus.com/feature/5633521622188032.
与 (Here is my domain) 的跨站点资源关联的 cookie 设置为没有该
SameSite属性。未来版本的 Chrome 将仅在跨站点请求中使用SameSite=None和设置 cookie 时才传送 cookieSecure。您可以在应用程序>存储>Cookies 下的开发人员工具中查看 cookie,并在https://www.chromestatus.com/feature/5088147346030592和https://www.chromestatus.com/feature/5633521622188032 上查看更多详细信息。
I tried to create a cookie like this but it didn't help.
我试图创建一个这样的 cookie,但它没有帮助。
setcookie($cookie_name,$cookie_value, time() + 3600*24, "/;samesite=None ","mydomain.com", 1);
Following instructions from thisquestion.
按照这个问题的说明进行操作。
采纳答案by Dimas Pante
I'm also in a "trial and error" for that, but this answer from Google Chrome Labs' Github helped me a little. I defined it into my main file and it worked - well, for only one third-party domain. Still making tests, but I'm eager to update this answer with a better solution :)
我也在为此进行“反复试验”,但是来自 Google Chrome Labs 的 Github 的这个答案对我有所帮助。我将它定义到我的主文件中并且它有效 - 好吧,仅适用于一个第三方域。仍在进行测试,但我渴望用更好的解决方案更新此答案:)
If you have PHP until 7.2, as my server does:
如果您在 7.2 之前使用 PHP,就像我的服务器一样:
header('Set-Cookie: cross-site-cookie=name; SameSite=None; Secure');
header('Set-Cookie: cross-site-cookie=name; SameSite=None; Secure');
Or if your host is already updated to 7.3, you can use:
或者,如果您的主机已经更新到 7.3,您可以使用:
setcookie('cross-site-cookie', 'name', ['samesite' => 'None', 'secure' => true]);
setcookie('cross-site-cookie', 'name', ['samesite' => 'None', 'secure' => true]);
Another thing you can try to check the cookies, is enable the flag below, which - in their own words - "will add console warning messages for every single cookie potentially affected by this change":
您可以尝试检查 cookie 的另一件事是启用下面的标志,用他们自己的话来说,“将为每个可能受此更改影响的 cookie 添加控制台警告消息”:
chrome://flags/#cookie-deprecation-messages
chrome://flags/#cookie-deprecation-messages
See the whole code at: https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md, they have the code for same-site-cookiestoo.
查看完整代码:https://github.com/GoogleChromeLabs/samesite-examples/blob/master/php.md,他们也有代码same-site-cookies。
回答by vir us
As the new feature comes, SameSite=Nonecookies must also be marked as Secureor they will be rejected.
随着新功能的出现,SameSite=Nonecookies 也必须标记为,Secure否则它们将被拒绝。
One can find more information about the change on chromium updatesand on this blog post
可以在此博客文章中找到有关Chromium 更新更改的更多信息
Note: not quite related directly to the question, but might be useful for others who landed here as it was my concern at first during development of my website:
注意:与问题没有直接关系,但可能对登陆这里的其他人有用,因为在我的网站开发过程中最初是我关心的问题:
if you are seeing the warning from question that lists some 3rd party sites (in my case it was google.com, huh) - that means theyneed to fix it and it's nothing to do with your site. Of course unless the warning mentions your site, in which case adding Secureshould fix it.
如果您看到问题的警告列出了一些 3rd 方网站(在我的情况下是 google.com,呵呵) - 这意味着他们需要修复它,这与您的网站无关。当然,除非警告提到您的网站,在这种情况下添加Secure应该修复它。
回答by Robert Greene
>= PHP 7.3
setcookie('key', 'value', ['samesite' => 'None', 'secure' => true]);
< PHP 7.3
exploit the path
setcookie('key', 'value', time()+(7*24*3600), "/; SameSite=None; Secure");
Emitting javascript
echo "<script>document.cookie('key=value; SameSite=None; Secure');</script>";
回答by Ethan Burnside
I ended up fixing our Ubuntu 18.04 / Apache 2.4.29 / PHP 7.2 install for Chrome 80 by installing mod_headers:
我最终通过安装 mod_headers 修复了 Chrome 80 的 Ubuntu 18.04 / Apache 2.4.29 / PHP 7.2 安装:
a2enmod headers
Adding the following directive to our Apache VirtualHost configurations:
将以下指令添加到我们的 Apache VirtualHost 配置中:
Header edit Set-Cookie ^(.*)$ "; Secure; SameSite=None"
And restarting Apache:
并重新启动Apache:
service apache2 restart
In reviewing the docs (http://www.balkangreenfoundation.org/manual/en/mod/mod_headers.html) I noticed the "always" condition has certain situations where it does not work from the same pool of response headers. Thus not using "always" is what worked for me with PHP but the docs suggest that if you want to cover all your bases you could add the directive both with and without "always". I have not tested that.
在查看文档 ( http://www.balkangreenfoundation.org/manual/en/mod/mod_headers.html) 时,我注意到“始终”条件在某些情况下无法在同一响应标头池中工作。因此,不使用“始终”对我来说对 PHP 有用,但文档建议如果您想涵盖所有基础,您可以添加和不使用“始终”的指令。我没有测试过。
