问题
I need some help understanding a case which I can not find described in material I have found describing the new SameSite restrictions for Chrome. Currently, I have a case where I have a site hosted which makes cross-site requests to an API. The API responds with CORS headers. The details are:
Site: https://a.a.com
API: https://b.a.com
--API response headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://a.a.com
--cookie previously set with
Set-Cookie: value=somevalue; Path=/; Expires=<some time/date>; HttpOnly
I don't expect the CORS headers to impact anything (based on everything I have seen it never mentions the SameSite changes) but I am putting them here anyways. Given this scenario and when I set the flags at:
chrome://flags/#same-site-by-default-cookies
chrome://flags/#cookies-without-same-site-must-be-secure
I would expect the browser to block the sending of the cookie value. This being because I would expect the cookie to be treated as if it had SameSite=Lax and that these are cross-site requests. This is not what actually happens and the cookie is sent successfully. When testing this, I also tried waiting 3 minutes between any requests and a POST request to avoid the "Lax+POST" mitigation as we set the cookie (with updated expiration) on every response. Based on what I am reading about the changes, I don't understand why the sending of this cookie is not blocked by the browser and why these requests succeed.
To make things more confusing, we have some cases during development with the following scenario:
Site: http://localhost
API: https://a.b.com
--API response headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost
--cookie previously set with
Set-Cookie: value=somevalue; Path=/; Expires=<some time/date>; HttpOnly
Unlike the first scenario described, these requests actually block the cookie from being sent as expected (only when new chrome flags are enabled). The warning message the browser gives is related to SameSite and Secure flags as I would expect.
Can someone help me understand why the first scenario is working yet the second is not? My concern is that it working is actually a bug and it shouldn't. If this is the case, it may be possible that in the future it might, without warning, go from "working" to "failing".
Details of the Chrome changes/flags I found are here:
- https://www.chromestatus.com/feature/5633521622188032
- https://www.chromium.org/updates/same-site
- https://web.dev/samesite-cookies-explained/
回答1:
as mentioned here https://web.dev/samesite-cookies-explained/:
If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request.
Same as your first case:
Site: https://a.a.com
API: https://b.a.com
So the browser considers your first request as a same-site request and cookies won't be removed, but the second one is a cross-site request and cookies without samesite attribute will be removed.
来源:https://stackoverflow.com/questions/60768119/confusion-regarding-samesite-changes-with-chrome