Javascript SameSite 警告 Chrome 77
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/58270663/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SameSite warning Chrome 77
提问by peiblox
Since the last update, I'm having an error with cookies, related with SameSite attribute.
自上次更新以来,我遇到了与 SameSite 属性相关的 cookie 错误。
The cookies are from third party developers (Fontawesome, jQuery, Google Analytics, Google reCaptcha, Google Fonts, etc.)
cookie 来自第三方开发者(Fontawesome、jQuery、Google Analytics、Google reCaptcha、Google Fonts 等)
The errors in the Chrome console are like this.
Chrome控制台中的错误是这样的。
A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Is there anything I need to do in my local machine or server or is just some feature they should implement in future releases of their libraries?
我需要在本地机器或服务器上做什么,或者只是他们应该在未来版本的库中实现的一些功能?
采纳答案by Rahul Mahadik
This console warning is not an error or an actual problem — Chrome is just spreading the word about this new standard to increase developer adoption.
这个控制台警告不是错误或实际问题——Chrome 只是在宣传这个新标准,以提高开发人员的采用率。
It has nothing to do with your code. It is something their web serverswill have to support.
它与您的代码无关。这是他们的网络服务器必须支持的东西。
Release date for a fix is February 4, 2020 per: https://www.chromium.org/updates/same-site
修复的发布日期为 2020 年 2 月 4 日:https: //www.chromium.org/updates/same-site
February, 2020:Enforcement rollout for Chrome 80 Stable: The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President's Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.
2020 年 2 月:Chrome 80 Stable 的强制推出:SameSite-by-default 和 SameSite=None-requires-Secure 行为将从2020 年 2 月 17 日那一周开始向最初有限的人群推出 Chrome 80 Stable ,不包括周一是美国总统日假期。我们将密切监测和评估从最初的有限阶段到逐步增加部署的生态系统影响。
For the full Chrome release schedule, see here.
有关完整的 Chrome 发布时间表,请参阅此处。
I solved same problem by adding in response header
我通过添加响应头解决了同样的问题
response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
SameSiteprevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are Lax or Strict.
SameSite防止浏览器将 cookie 与跨站点请求一起发送。主要目标是降低跨源信息泄漏的风险。它还提供了一些针对跨站点请求伪造攻击的保护。标志的可能值为 Lax 或 Strict。
SameSite cookies explained here
此处解释了SameSite cookie
Please refer thisbefore applying any option.
请在应用任何选项之前参考此内容。
Hope this helps you.
希望这对你有帮助。
回答by Will
If you are testing on localhost and you have no control of the response headers, you can disable it with a chrome flag.
如果您在 localhost 上进行测试并且无法控制响应标头,则可以使用 chrome 标志禁用它。
Visit the url and disable it: chrome://flags/#same-site-by-default-cookies
访问网址并禁用它:chrome://flags/#same-site-by-default-cookies
I need to disable it because Chrome Canary just started enforcing this rule as of approximately V 82.0.4078.2 and now it's not setting these cookies.
我需要禁用它,因为 Chrome Canary 大约从 V 82.0.4078.2 开始执行此规则,现在它没有设置这些 cookie。
Note: I only turn this flag on in Chrome Canary that I use for development. It's best not to turn the flag on for everyday Chrome browsing for the same reasons that google is introducing it.
注意:我只在我用于开发的 Chrome Canary 中打开这个标志。出于与谷歌引入它相同的原因,最好不要在日常 Chrome 浏览中打开该标志。
回答by John Magnolia
Fixed by adding crossorigin to the script tag.
通过向脚本标签添加 crossorigin 来修复。
From: https://code.jquery.com/
<script
src="https://code.jquery.com/jquery-3.4.1.min.js"
integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
crossorigin="anonymous"></script>
The integrity and crossorigin attributes are used for Subresource Integrity (SRI) checking. This allows browsers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source. Read more at srihash.org
完整性和跨域属性用于子资源完整性 (SRI) 检查。这允许浏览器确保托管在第三方服务器上的资源未被篡改。无论何时从第三方源加载库,都建议使用 SRI 作为最佳实践。在 srihash.org 阅读更多
回答by Joel Wiklund
To elaborate on Rahul Mahadik's answer, this works for MVC5 C#.NET:
为了详细说明 Rahul Mahadik 的回答,这适用于 MVC5 C#.NET:
AllowSameSiteAttribute.cs
AllowSameSiteAttribute.cs
public class AllowSameSiteAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if(response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
//Add more headers...
}
base.OnActionExecuting(filterContext);
}
}
HomeController.cs
家庭控制器.cs
[AllowSameSite] //For the whole controller
public class UserController : Controller
{
}
or
或者
public class UserController : Controller
{
[AllowSameSite] //For the method
public ActionResult Index()
{
return View();
}
}
