📅 最后修改于: 2023-12-03 15:33:16.321000 🧑 作者: Mango
The SameSite cookie attribute is used to indicate to browsers whether or not to send cookies in cross-site requests. By preventing cookies from being sent in certain contexts, SameSite attribute can help mitigate the risk of cross-site request forgery (CSRF) attacks.
The SameSite attribute can have three possible values:
SameSite=Strict: Cookies will only be sent in a first-party context, meaning they can't be sent in any cross-site requests.SameSite=Lax: Cookies can be sent in cross-site requests, but only if the user clicked on a link that took them to the third-party website.SameSite=None: Cookies can be sent in cross-site requests, regardless of how the user navigated to the target site.The Secure attribute is used to indicate that cookies should only be sent over secure (HTTPS) connections. When combined with the SameSite attribute, the Secure attribute can help protect against CSRF attacks by ensuring that cookies are only sent over encrypted connections.
Recently, Google announced that they will start treating cookies with a SameSite value of None without the Secure attribute as if they had the SameSite=Lax value. This change will affect all cookies set without the Secure attribute, regardless of any other SameSite or Domain attribute values.
This means that if your site uses cookies with a SameSite=None value but without the Secure attribute, those cookies will no longer be sent in cross-site requests after the change.
To avoid any potential issues, it's important to update your cookies to include both the SameSite and Secure attributes where appropriate.
By using the SameSite and Secure attributes, you can help protect your site against CSRF attacks and ensure that your cookies are only sent in secure contexts. It's important to stay up-to-date on any changes to SameSite behavior and adjust your cookies accordingly to avoid any unexpected issues.