SameSite警告Chrome 77
pei*_*lox 63 javascript cookies google-chrome samesite
自上次更新以来,我的Cookie出现错误,与SameSite属性相关。
Cookies来自第三方开发人员(Fontawesome,jQuery,Google Analytics,Google reCaptcha,Google Fonts等)。
Chrome控制台中的错误是这样的。
A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
我是否需要在本地计算机或服务器上做任何事情,或者只是它们应该在库的将来版本中实现的某些功能?
Wil*_*ill 45
更新 - 2021 年 6 月
#same-site-by-default 的 chrome 标志与 Chrome 91 一样从 Chrome 实验面板中删除。
在 Chrome 94 之前,该标志仍可通过启动选项使用。
对于 macos,使用标志启动的终端命令是:
// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies
// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies
更多信息:
2021 年 3 月 18 日:自 Chrome 91 起,标记 #same-site-by-default-cookies 和 #cookies-without-same-site-must-be-secure 已从 chrome://flags 中删除,因为行为是现在默认启用。在 Chrome 94 中,命令行标志 --disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure 将被删除。来源:Chromium SameSite 更新页面。
原始答案 - 2020 年 3 月
如果您在 localhost 上进行测试并且无法控制响应标头,则可以使用 chrome 标志禁用它。
访问网址并禁用它:chrome://flags/#same-site-by-default-cookies
我需要禁用它,因为 Chrome Canary 大约从 V 82.0.4078.2 开始执行此规则,现在它没有设置这些 cookie。
注意:我只在我用于开发的 Chrome Canary 中打开这个标志。出于与谷歌引入它相同的原因,最好不要在日常 Chrome 浏览中打开该标志。
- 禁用这个标志并重新启动金丝雀对我来说不起作用,所以我只是将 `-SameSite` 添加到主“过滤器”框中,我也用它来删除这个恼人的源映射问题 => https://superuser.com/questions/ 1523427/google-chrome-devtools-无法解析-sourcemap-chrome-extension (5认同)
Rah*_*dik 40
这个控制台警告不是错误或实际问题,Chrome只是在传播有关这一新标准的信息,以提高开发人员的采用率。
修复程序的发布日期为02/04/2020,每个日期:https : //www.chromium.org/updates/same-site
我通过添加响应标题解决了相同的问题
response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
SameSite阻止浏览器发送cookie和跨站点请求。主要目标是减轻跨域信息泄漏的风险。它还提供了一些针对跨站点请求伪造攻击的保护。该标志的可能值为Lax或Strict。
在应用任何选项之前,请先参考此内容。
希望这对您有帮助。
- 我必须说,一个友好的警告确实会引发像我这样的许多开发人员的强迫症。当我看到 YouTube(Google 的财产)、违规者在 Google Chrome 中生成控制台错误时,我对肮脏的控制台的挫败感大大增加了。我已经说过了,就是这样。 (41认同)
- 您是否进行过任何研究,以了解当引入设置Cookie的第三方脚本时如何处理此问题(例如Google Analytics(分析)和Google跟踪代码管理器)? (12认同)
- 我应该在哪里添加响应头?谢谢。 (6认同)
- 有什么想法为什么简单的图像请求会触发此错误?即使图像请求不涉及创建/读取 cookie,并且图像域 URL 与 Chrome 控制台警告消息报告的 cookie URL 不匹配? (3认同)
- 如果您可能使用 .NET,则在 IIS 中附加 web.config 或添加 URL 重写规则可以解决此问题。归功于 /sf/ask/2726837501/ 的解决方案 (2认同)
- 是否有不涉及JavaScript的解决方案? (2认同)
- 如果您使用 Chrome 开发工具,并且不想因为第三方警告而看到脏乱的控制台,则可以选中控制台中的“仅选定上下文”框。https://developers.google.com/web/tools/chrome-devtools/console/reference#filtercontext (2认同)
Joh*_*lia 13
通过向脚本标签添加 crossorigin 来修复。
来自:https : //code.jquery.com/
<script
src="https://code.jquery.com/jquery-3.4.1.min.js"
integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
crossorigin="anonymous"></script>
完整性和跨域属性用于子资源完整性 (SRI) 检查。这允许浏览器确保托管在第三方服务器上的资源未被篡改。无论何时从第三方源加载库,都建议使用 SRI 作为最佳实践。在 srihash.org 阅读更多
- @JohnMagnolia 我刚刚做了,什么也没发生。 (2认同)
为了详细说明 Rahul Mahadik 的回答,这适用于 MVC5 C#.NET:
AllowSameSiteAttribute.cs
public class AllowSameSiteAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var response = filterContext.RequestContext.HttpContext.Response;
if(response != null)
{
response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
//Add more headers...
}
base.OnActionExecuting(filterContext);
}
}
家庭控制器.cs
[AllowSameSite] //For the whole controller
public class UserController : Controller
{
}
或者
public class UserController : Controller
{
[AllowSameSite] //For the method
public ActionResult Index()
{
return View();
}
}
| 归档时间: |
|
| 查看次数: |
37327 次 |
| 最近记录: |