先前设置为"Samesite:Strict"cookie在document.cookie中不可用.Firefox和Safari
我们在用户会话开始时为XSRF/CSRF设置了cookie.用户有时会导航到其他域(例如,用于付款),执行一些操作,然后导航到我们的域.返回我们的域后,Firefox和Safari无法读取设置为同一站点的cookie:严格,Chrome可以.如果使用的是Chrome和Firefox(而不是Safari),则确实会在Cookie的开发人员工具部分下显示.
We have a cookie set for XSRF/CSRF at the beginning of a user's session. At some point the user navigates to different domain (e.g. for payment), performs some actions, and navigates to our domain. Upon returning to our domain, Firefox and Safari cannot read a cookie set as samesite: Strict, Chrome can. In case of Chrome and Firefox (but not Safari) it does show up under the developer tools section for cookies.
关于MDN的相同解释解释根据将来的请求,cookie将在Request标头中一起发送.对于所有三种浏览器,都是这种情况.解释尚无定论,是是否应该可以通过document.cookie读取此cookie.对于Firefox,Safari和Chrome,我们可以读取松散" Cookie,但对于只有Chrome的我们可以读取严格" Cookie.在刷新页面时也是如此,但在打开新标签页时(即仅通过导航)不是这样.
The samesite explanation on MDN explains that upon future requests the cookie will be sent along in the Request headers. For all three browsers, this is the case. What the explanation is inconclusive about is whether it should be possible to read this cookie through document.cookie. For Firefox, Safari and Chrome we can read the 'Lax' cookies, but for only Chrome we can read the 'Strict' cookies. This is also true upon page refresh, but not upon opening a new tab (i.e. only through navigation).
这是Safari和Firefox还是Chrome中的错误-规范是否定论?规格(w3?)是什么?
Is this a bug in Safari and Firefox, or in Chrome - or is the spec inconclusive? What would the spec (w3?) be?
可以很容易地使用具有两个虚拟主机的Web服务器在本地重新创建它,这些虚拟主机分别是 test.internalsite.com 和 test.externalsite.com ,并且这些页面带有一些PHP:
It can be easily recreated locally with a webserver with two vhosts, test.internalsite.com and test.externalsite.com, and these pages with some PHP:
<?php
setcookie("CSRFLax", "hiLax", array("path"=>"/", "samesite"=>"Lax", "domain"=>"test.internalsite.com"));
setcookie("CSRFStrict", "hiStrict", array("path"=>"/", "samesite"=>"Strict", "domain"=>"test.internalsite.com"));
?>
<html>
<body>External site
<p><a href="http://test.externalsite.com">Go to External site</a></p>
<p>Document cookie: <script>document.write(document.cookie);</script></p>
</body>
</html>
还有
<html>
<body>External site
<a href="http://test.internalsite.com">Go to internal Site</a>
</body>
</html>
根据我们的安全人员的建议,他不愿意讨论使用松散" Cookie而不是安全" Cookie的可能性(据我所见)(除了语义之外没有其他原因),我们通过刷新页面实现了一种简单的解决方法.这样可以在Chrome和Safari中检索严格的Cookie.
As recommended by our security officer, who was not inclined to discuss the possibility of using 'Lax' cookies instead of 'Secure' cookies (for what I can see as no other reason than semantics), we have implemented a simple workaround by refreshing the page. This works to retrieve the Strict cookies in Chrome and Safari.
var canReadStrictCookie = function(cookies) {
return cookies.toLowerCase().indexOf('mySameSiteSecureCookieName') !== -1;
};
if(document.location.href.indexOf('jmkCheck') === -1 && !canReadStrictCookie(document.cookie)){
document.location.href='?jmkCheck';
}
如果您自己控制cookie,我强烈建议您使用宽松"设置.这个名称令人困惑,不是安全性松懈(事实上,它比引入相同站点之前的安全性更高.)
I would highly recommend you to use the 'Lax' setting if you are in control of the cookies yourself. The name is confusing, it's not lax security (in fact it's more secure than it used to be before same-site was introduced).