Chrome 77警告

ukxgm1gy  于 2022-12-25  发布在  Go
关注(0)|答案(6)|浏览(131)

自从上次更新以来,我遇到了一个与SameSite属性有关的cookie错误。
Cookie来自第三方开发者(Fontawesome,jQuery,谷歌分析,谷歌验证码,谷歌字体等)
Chrome控制台中的错误是这样的。

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

我需要在本地机器或服务器上做些什么,或者只是一些他们应该在未来版本的库中实现的特性?

c86crjj0

c86crjj01#

这个控制台警告不是一个错误或实际问题- Chrome只是在传播这个新标准的消息,以增加开发人员的采用。
这与你的代码无关。这是他们的网络服务器必须支持的。
修复程序的发布日期为2020年2月4日,依据:https://www.chromium.org/updates/same-site

2020年2月:Chrome 80 Stable的强制实施:默认SameSite和SameSite= None-requests-Secure行为将从2020年2月17日这一周开始在Chrome 80 Stable上推出,但不包括周一的美国总统日假期。我们将密切监测和评估从最初的有限阶段到逐步增加推出的生态系统影响。

对于完整的Chrome发布时间表,see here
我通过添加响应头解决了同样的问题

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

SameSite防止浏览器随跨站点请求沿着发送Cookie。主要目的是降低跨源信息泄漏的风险。它还提供一些保护,防止跨站点请求伪造攻击。该标志的可能值为Lax或Strict。
SameSite Cookie解释here
在应用任何选项之前,请参阅this

vddsk6oq

vddsk6oq2#

    • 更新-2021年6月**

默认情况下,#same-site-by-default的chrome标记将作为Chrome 91从Chrome实验面板中移除。
在Chrome 94之前,该标志仍然可以通过启动选项使用。
对于macos,使用该标志启动的终端命令为:

// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies

// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies

更多信息:
二〇二一年三月十八日:自Chrome 91起,#same-site-by-default-cookies和#cookies-without-same-site-must-be-secure标志已从chrome://标志中删除,因为该行为现在默认为启用。在Chrome 94中,命令行标志--disable-features = SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure将被删除。来源:Chromium SameSite Updates page.

    • 原始答复-2020年3月**

如果您在本地主机上进行测试,并且无法控制响应头,则可以使用chrome标记禁用它。
访问URL并禁用它:chrome://flags/默认情况下相同站点的cookie数

我需要禁用它,因为Chrome Canary从大约V 82.0.4078.2开始执行此规则,现在它没有设置这些Cookie。
注意:我只在Chrome Canary中打开这个标记,用于开发。最好不要在日常Chrome浏览中打开这个标记,原因和google引入它的原因一样。

gwo2fgha

gwo2fgha3#

已通过将交叉源添加到脚本标记修复。
出发地:https://code.jquery.com/

<script
  src="https://code.jquery.com/jquery-3.4.1.min.js"
  integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
  crossorigin="anonymous"></script>

integrity和crossorigin属性用于子资源完整性(SRI)检查。这允许浏览器确保第三方服务器上托管的资源未被篡改。无论何时从第三方源加载库,建议使用SRI作为最佳实践。有关详细信息,请访问srihash.org

dly7yett

dly7yett4#

为了详细说明Rahul Mahadik的答案,下面的方法适用于MVC5 C#.NET:
AllowSameSiteAttribute.cs

public class AllowSameSiteAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var response = filterContext.RequestContext.HttpContext.Response;

        if(response != null)
        {
            response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
            //Add more headers...
        }

        base.OnActionExecuting(filterContext);
    }
}

HomeController.cs

[AllowSameSite] //For the whole controller
    public class UserController : Controller
    {
    }

public class UserController : Controller
    {
        [AllowSameSite] //For the method
        public ActionResult Index()
        {
            return View();
        }
    }
icnyk63a

icnyk63a5#

我不得不在chrome://flags中禁用它

igetnqfo

igetnqfo6#

谈到谷歌分析,我发现raik在Secure Google tracking cookies上的回答非常有用,它将secure和samesite设置为一个值。

ga('create', 'UA-XXXXX-Y', {
    cookieFlags: 'max-age=7200;secure;samesite=none'
});

blog post中的其他更多信息

相关问题