自从上次更新以来,我有一个与SameSite属性相关的cookie错误。

cookie来自第三方开发人员(Fontawesome, jQuery,谷歌Analytics,谷歌reCaptcha,谷歌Fonts等)

Chrome控制台中的错误是这样的。

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

我需要在我的本地机器或服务器上做什么,或者只是他们应该在他们的库的未来版本中实现的一些功能吗?


当前回答

我不得不在chrome中禁用://flags

其他回答

这个控制台警告不是一个错误或实际的问题- Chrome只是传播这个新标准的消息,以增加开发人员的采用。

这与你的代码无关。这是他们的网络服务器必须支持的。

修复的发布日期是2020年2月4日,具体如下: https://www.chromium.org/updates/same-site

2020年2月:Chrome 80稳定版的强制推出:默认的same - site和SameSite= none - required - secure行为将从2020年2月17日开始面向最初的有限人群推出Chrome 80稳定版,不包括周一的美国总统日假期。我们将密切监测和评估从最初的有限阶段到逐步增加的生态系统影响。

完整的Chrome发布时间表,请看这里。

我通过添加响应头解决了同样的问题

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

SameSite阻止浏览器在发送跨站点请求时发送cookie。主要目标是降低跨来源信息泄露的风险。它还提供了一些针对跨站点请求伪造攻击的保护。该标志的值可能是Lax或Strict。

SameSite cookie的解释在这里

请在申请任何选项之前参考此文件。

为了详细说明Rahul Mahadik的回答,这适用于MVC5 c#。NET:

AllowSameSiteAttribute.cs

public class AllowSameSiteAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var response = filterContext.RequestContext.HttpContext.Response;

        if(response != null)
        {
            response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
            //Add more headers...
        }

        base.OnActionExecuting(filterContext);
    }
}

HomeController.cs

    [AllowSameSite] //For the whole controller
    public class UserController : Controller
    {
    }

or

    public class UserController : Controller
    {
        [AllowSameSite] //For the method
        public ActionResult Index()
        {
            return View();
        }
    }

我不得不在chrome中禁用://flags

更新- 2021年6月

chrome 91实验面板中#same-site-by-default的chrome标志被移除。

该标志仍然可以通过启动选项,直到Chrome 94。

对于macos,使用该标志启动的终端命令是:

// Chrome
open -n -a Google\ Chrome --args --disable-features=SameSiteByDefaultCookies

// Chrome Canary
open -n -a Google\ Chrome\ Canary --args --disable-features=SameSiteByDefaultCookies

更多信息:

2021年3月18日:从chrome 91开始,标记#same-site-by-default-cookies和#cookies-without-same-site-must-be-secure已从chrome://flags中移除,因为该行为现在默认启用。在Chrome 94中,命令行标志——disable-features=SameSiteByDefaultCookies,CookiesWithoutSameSiteMustBeSecure将被移除。 来源:Chromium SameSite Updates页面。


最初答案- 2020年3月

如果你在本地主机上测试,你无法控制响应头,你可以用chrome标志禁用它。

访问url并禁用它:chrome://flags/#same-site-by-default-cookies

我需要禁用它,因为Chrome金丝雀刚刚开始强制执行这条规则,大约V 82.0.4078.2,现在它没有设置这些cookie。

注意:我只在我用于开发的Chrome金丝雀中打开这个标志。最好不要在每天浏览Chrome浏览器时打开该标志,原因与谷歌引入它的原因相同。

修正了在脚本标签中添加交叉来源的问题。

来自:https://code.jquery.com/

<script
  src="https://code.jquery.com/jquery-3.4.1.min.js"
  integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
  crossorigin="anonymous"></script>

完整性和交叉源属性用于Subresource 完整性(SRI)检查。这允许浏览器确保这一点 托管在第三方服务器上的资源没有被篡改。 推荐使用SRI作为最佳实践,无论何时库都是如此 从第三方源加载。更多信息请访问srihash.org