We know, by setting Access-Control-Allow-Credentials: trueand xhr.withCredentials = truecan achieve cross-domain transfer Cookie. Purpose of saving user login state and so on. However, improper use, there will be CSRF risk.
So, from the Chrome 51beginning, the browser Cookieadded a new SameSite property, to prevent CSRFattacks and user tracking.
The current setting is off by default, but Chrome 80after this feature is turned on by default.
So when you can not use some third-party Web site login feature, check to see if affected by this setting.
- For users, quick solution:
1. Open the program
Chromesettings, thechrome://flags/#same-site-by-default-cookiesDisabled, and then restart the browser.
Scheme 2. Use low version of the browser, select the speed 360 . - For developers, solution:
1. The program
SameSiteattribute values changedNonewhile thesecureproperty is settrue. And the need to back-end service domain must use thehttpsprotocol to access.
2. Since the embodiment is providedSameSite = None, there isSCRFthe risk, therefore, the best solution is usedtokeninstead ofCookiethe way for verification.