问题
Regarding security concerns, are browser-providers excusable for allowing cross-site cookies ? Does any important use of it do justify the existance of this dangerous mechanism?
See this reference
回答1:
No.
Webmasters can ask (modern) browser to only sent cookies when first-party with the SameSite attribute:
Set-Cookie: key=value; HttpOnly; SameSite=strict
https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
Beware, it's possible that when arriving on the website from another, cookies will not be sent.
来源:https://stackoverflow.com/questions/43477529/regarding-security-concerns-are-browser-providers-excusable-for-allowing-cross