We know, by setting Access-Control-Allow-Credentials: true
and xhr.withCredentials = true
can achieve cross-domain transfer Cookie
. Purpose of saving user login state and so on. However, improper use, there will be CSRF risk.
So, from the Chrome 51
beginning, the browser Cookie
added a new SameSite property, to prevent CSRF
attacks and user tracking.
The current setting is off by default, but Chrome 80
after this feature is turned on by default.
So when you can not use some third-party Web site login feature, check to see if affected by this setting.
- For users, quick solution:
1. Open the program
Chrome
settings, thechrome://flags/#same-site-by-default-cookies
Disabled, and then restart the browser.
Scheme 2. Use low version of the browser, select the speed 360 . - For developers, solution:
1. The program
SameSite
attribute values changedNone
while thesecure
property is settrue
. And the need to back-end service domain must use thehttps
protocol to access.
2. Since the embodiment is providedSameSite = None
, there isSCRF
the risk, therefore, the best solution is usedtoken
instead ofCookie
the way for verification.