问题
I have a website that loads a resource from another website. I've been able to determine that:
- The third-party website places cookies on the user's browser.
- If I disable third-party cookies in my browser settings, the third-party website is no longer able to place cookies on the browser.
- The resource still works properly.
I'm wondering if there is some kind of header or other directive I can deliver from my website that will have the same effect for my users as if they had disabled third-party cookies, but which doesn't require them to go and monkey around with their settings.
回答1:
Generally, it has been impossible to prevent your browser from including cookies in your HTTP requests. However, recently, few new ways to fetch resources were added to browsers.
Using the Fetch API:
fetchignoresSet-Cookiein responses, and does not includeCookieunless specified.Using ES6 (ES2015) modules:
<script type="module" ...>without itscrossoriginattribute will not sendCookie. It doesn't work for non-module scripts, and the server (not yours, the one serving the file) must be configured to serve the file with valid CORS headers. Scripts imported withimport * from blah.com/script.jswill also behave in the same way. Follow the link for more info.- Setting
crossorigin="anonymous": Resource elements such asscript,imgandstylewithcrossorigin="anonymous"will not includeCookieheaders in subsequent requests.
But these all work by using Cross-Origin Resource Sharing (CORS), and if the resource server is configured to disallow requests without credentials (cookies, and other headers), they won't work. You will likely get 404 or other errors instead.
If you are worried about third-party cookies, it's usually better to serve statics from your own server, or cookie-free servers like most CDNs.
Browsers such as Firefox and Safari disable third party cookies by default, and Chrome is the last modern browser that still allows third party cookies by default as of Jan 2020. But even Chrome is phasing out of third party cookies.
来源:https://stackoverflow.com/questions/51371190/is-it-possible-to-disable-third-party-cookies-while-on-my-site-on-behalf-of-user