SameSite cookies

SameSite Cookie 允许服务器要求某个cookie在跨站请求时不会被发送,从而可以阻止跨站请求伪造攻击(CSRF)。


The browser will send cookies with both cross-site requests and same-site requests.

The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.

Same-site cookies are withheld on cross-site subrequests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.

虽说是为了保护隐私,避免 CSRF 攻击。但是做不到无缝升级,很多开发者不会愿意主动适配吧。
未主动设置,就“几乎等同于”设置为 SameSite=Lax —— Chrome 有个临时方案,对于顶级导航时的非幂等请求,允许携带2分钟内设置或有效期不超过2分钟的Cookie。
设置为 SameSite=None 时必须搭配 Secure 使用,还要处理因规范变更造成的浏览器兼容问题——Chrome 51-66 / UC 12.13.2 / MacOS 10.14 / iOS 12。

SameSite Cookies
SameSite cookies explained
SameSite cookie recipes
Intent to Implement and Ship: Cookies with SameSite by default
SameSite Updates
SameSite=None: Known Incompatible Clients
Cookies default to SameSite=Lax
Reject insecure SameSite=None cookies

HTMLInputElement checkbox indeterminate

Properties that apply only to elements of type checkbox or radio
checked Boolean: Returns / Sets the current state of the element when type is checkbox or radio.
defaultChecked Boolean: Returns / Sets the default state of a radio button or checkbox as originally specified in HTML that created this object.
indeterminate Boolean: Returns whether the checkbox or radio button is in indeterminate state. For checkboxes, the effect is that the appearance of the checkbox is obscured/greyed in some way as to indicate its state is indeterminate (not checked but not unchecked). Does not affect the value of the checked attribute, and clicking the checkbox will set the value to false.