Regarding the affected scenarios and solutions after the Chrome browser is upgraded to version 80

background

Today, Mr. Zihan, received feedback from a small partner that the cas login failed in version 80 of the chrome browser.
The little friend is still very powerful, and the scene description is also very specific: Under the chrome 80 browser, the page originally embedded in the form of iframe cannot be accessed, and the following error is reported in the console:

A cookie associated with a cross-site resource at http://ip/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

After querying relevant information, it turns out that it is the Chrome 80 version released by Google on February 4, 2020. All third-party cookies are blocked by default, that is, all cookies are added by default SameSite=Lax, and non-Secure cookies are rejected SameSite=None. This is In order to shield the CSRF vulnerability from the source.

Why is cas affected?

During the authentication process of cas, TGC will be stored in the cookie of the browser. The upgrade of Google browser has caused Chrome to be unable to set cookies in the cross-site situation, which caused the cas authentication process to be interrupted.

Affected scene

The following known scenarios will be affected in Chrome 80:

  1. The component data is based on the API request of the third-party login state.
    Check whether your component uses the API, and whether the API returns related user data based on the login state of the third-party website. If so, please read on:
    The API used is HTTPS protocol: please See scheme three
    The API used is HTTP protocol: see scheme three
  2. http local deployment
    Impact: Chrome 80 will block the login function under the http protocol, causing the entire local deployment service to be unavailable.
    Solution: Solution 1 or Solution 2 or Solution 3

solution

Solution one manual setting

Open chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure in Chrome, set it to Disabled, and restart the browser.

Plan 2 version rollback

Downgrade to Chrome 79 and below, and turn off automatic updates.
Solutions 1 and 2 require users to change the browser environment, and users are definitely not happy...

Solution three (non-same domain application)

In this scenario, you need to switch the API to the HTTPS protocol (SSL certificate is required), and check whether the Set-Cookie in the response header contains SameSite=None and Secure.

Solution four (same domain application)

Make all applications in the same domain. For example, use nginx reverse proxy.

Party A’s system is generally participated by multiple parties. The scenario where the problem occurs is that the A supplier’s system integrates the B supplier’s page through an iframe, and the B supplier’s system uses cas to achieve a single point. For us, Option Four will not work.

Data reference:

1. About the possible impact and solutions after Chrome (Google Chrome) upgraded to 80 and the solution
2. About SameSite problems after Chrome 80
Insert picture description here

Thank you for your appreciation. Guest officer, like, leave a message and leave~ or leave your questions to discuss together

Insert picture description here

Guess you like

Origin blog.csdn.net/l714417743/article/details/107763366