cookies you don't know

Enterprise 2023-04-08 22:18:44 views: null

When it comes to the most basic attributes of cookies, they must be able to request automatic portability, size, local cache, backend automatic injection, and carrying cookies will cause cross-domain. There are a few less commonly used ones that are rarely mentioned.

crossorigin

The same-origin policy will cause cross-domain, but several tags such as link, script, img, video, audio and so on will not cause cross-domain, and these tags can set the attributes that allow cookies:

  • anonymous: It has a default value. It defines a CORS request that will be sent without passing credential information.
  • use-credentials: will send cross-origin requests with credentials, cookies and certificates.

Generally speaking, you don’t need to set it, and you won’t carry it. You can set it directly if you need it, but you haven’t tried setting it to allow portability, will it appear cross-domain.

SameSite cookies

I often saw this attribute in the console before, but I didn't pay attention to it at the time, mainly to deal with cross-site problems. We know that there is an attack called cross-site request forgery CSRF, setting this can avoid it.

The definition of the same site is: eTLD+1 is the same. http://a.wade.com:80,wade.com is eTLD+1.

For example, compare the following address with https://a.wade.com:80:

  • https://b.wade.com:80, same site, different second-level domain names
  • https://a.wade.com:80, same site, different protocols
  • https://a.wade.com:443, same site, different ports
  • https://abcom:80, cross-site, different domains

This is embarrassing, the condition of cross-site request forgery is too easy to form, so after chrome is upgraded to 51, a new SameSite attribute is added, which strengthens CSRF attacks and user tracking. There are three attributes:

  • Strict: Third-party cookies are completely prohibited, and cookies will not be sent under any circumstances when cross-site.
  • Lax: Allow some third-party requests to carry cookies. Links, preload requests, GET forms, Ajax, iframe, and img are not allowed
  • None: All can be carried, but to set Secure, it can only take effect under the https protocol.

Now the default SameSite is Lax, and some old website consoles will have warnings because of the new browser:

A parser-blocking, cross site (i.e. different eTLD+1) script

A cookie associated with a cross-site resource at was set without the SameSite attribute.

Welcome to pay attention to personal subscription number coding personal notes

Guess you like

Origin blog.csdn.net/wade3po/article/details/127907632
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com