SameSite警告Chrome 77

Question

自上次更新以来，我的Cookie出现错误，与SameSite属性相关。

cookie来自第三方开发人员（Fontawesome，jQuery，Google Analytics，Google reCaptcha，Google字体等）

Chrome控制台中的错误是这样的。

A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):1 A cookie associated with a cross-site resource at http://jquery.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://fontawesome.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at https://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://www.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
(index):1 A cookie associated with a cross-site resource at http://gstatic.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

我是否需要在本地计算机或服务器上做任何事情，或者只是它们应该在库的将来版本中实现的某些功能？

Answer 1

此控制台警告不是错误或实际问题-Chrome只是在传播有关这一新标准的信息，以提高开发人员的采用率。

此修复程序的发布日期为2020年2月4日，具体日期如下： https://www.chromium.org/updates/same-site

我通过添加响应头解决了同样的问题

response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

SameSite阻止浏览器发送cookie和跨站点请求。主要目标是减轻跨域信息泄漏的风险。它还提供了一些针对跨站点请求伪造攻击的保护。该标志的可能值为Lax或Strict。

SameSite cookie解释为here

在应用任何选项之前，请先参考this。

希望这对您有所帮助。

Answer 2

如果您正在localhost上进行测试，并且无法控制响应头，则可以使用chrome标志将其禁用。

访问该网址并将其禁用：chrome：// flags /＃same-site-by-default-cookies

我需要禁用它，因为Chrome Canary从大约V 82.0.4078.2开始才开始执行此规则，现在它没有设置这些Cookie。

注意：我仅在用于开发的Chrome Canary中将此标志打开。出于与Google引入Chrome浏览器相同的原因，最好不要在每天的Chrome浏览器中打开该标记。

Answer 3

通过在脚本标记中添加跨域来解决。

来自：https://code.jquery.com/

room_number

完整性和跨域属性用于子资源 完整性（SRI）检查。这使浏览器可以确保 第三方服务器上托管的资源尚未被篡改。 建议在任何情况下使用SRI作为最佳实践 从第三方来源加载。在srihash.org上了解更多信息

Answer 4

要详细说明Rahul Mahadik的答案，此方法适用于MVC5 C＃.NET：

AllowSameSiteAttribute.cs

public class AllowSameSiteAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var response = filterContext.RequestContext.HttpContext.Response;

        if(response != null)
        {
            response.AddHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");
            //Add more headers...
        }

        base.OnActionExecuting(filterContext);
    }
}

HomeController.cs

    [AllowSameSite] //For the whole controller
    public class UserController : Controller
    {
    }

或

    public class UserController : Controller
    {
        [AllowSameSite] //For the method
        public ActionResult Index()
        {
            return View();
        }
    }

Answer 5

我必须在chrome://flags

中禁用它

Answer 6

谈到 Google Analytics，我发现 raik 在 Secure Google tracking cookies 上的回答非常有用。它将安全和相同站点设置为一个值。

ga('create', 'UA-XXXXX-Y', {
    cookieFlags: 'max-age=7200;secure;samesite=none'
});

还有更多信息在这个blog post