SameSite Cookie 允许服务器要求某个cookie在跨站请求时不会被发送,从而可以阻止跨站请求伪造攻击(CSRF)。
SameSite可以有下面三种值:
None
The browser will send cookies with both cross-site requests and same-site requests.
Strict
The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.
Lax
Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.
虽说是为了保护隐私,避免 CSRF 攻击。但是做不到无缝升级,很多开发者不会愿意主动适配吧。
未主动设置,就“几乎等同于”设置为 SameSite=Lax —— Chrome 有个临时方案,对于顶级导航时的非幂等请求,允许携带2分钟内设置或有效期不超过2分钟的Cookie。
设置为 SameSite=None 时必须搭配 Secure 使用,还要处理因规范变更造成的浏览器兼容问题——Chrome 51-66 / UC 12.13.2 / MacOS 10.14 / iOS 12。
参考资料:
SameSite Cookies
SameSite cookies explained
SameSite cookie recipes
Intent to Implement and Ship: Cookies with SameSite by default
SameSite Updates
SameSite=None: Known Incompatible Clients
Cookies default to SameSite=Lax
Reject insecure SameSite=None cookies