How to deal with the SameSite cross-domain problem that occurs after Google Chrome version 80

Language 2023-09-16 18:46:20 views: null

Problems that occur after Google Chrome version 80:

Situation one:

If the domain name in the address bar is aaa.com, and the corresponding Ajax request is also aaa.com, then the cookie under aaa.com can be passed to any request for the aaa.com domain name, for example: the cookie generated when logging in to aaa.com (Assuming that the cookie is token=123), the cookie can be passed when Ajax calls the aaa.com/api/queryUser interface, regardless of whether the corresponding cookie has Secure and SameSite=None set.

Situation two:

If the domain name in the address bar is aaa.com, and the corresponding Ajax request is bbb.com, then the cookie under bbb.com can be passed to any request for the bbb.com domain name, for example: the cookie generated when logging in to bbb.com (Assuming that the cookie is token=123), the cookie can be passed when Ajax calls the bbb.com/api/queryUser interface, but the premise is that the cookie with token=123 must set the Secure and SameSite=None attributes, otherwise even if Cookies with the same domain name cannot be delivered. Note: What is mentioned here is that the address bar is aaa.com, and the access is bbb.com/api/queryUser. If it crosses a domain name, even if Secure and SameSite=None are added, it will not work.

 Complete Nginx configuration:

upstream tomcat_server {
                server 127.0.0.1:8001  weight=10 max_fails=2 fail_timeout=30s;
}


log_format newmain '$remote_addr - "$http_x_forwarded_for" - "$http_j_forwarded_for" - $remote_user [$time_local]'
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
#限流模块
limit_req_zone $binary_remote_addr zone=ip_limit_index:20m rate=500000r/s;

server
{
      listen 80;

      server_name              www.xxx.com ;
     access_log               /export/xxx/nginx/logs/www.xxx.com/www.xxx.com_access.log main;
      error_log                /export/xxx/nginx/logs/www.xxx.com/www.xxx.com_error.log warn;
      error_page 411 = @error_page;

      root /export/App/www.xxx.com/;   
      
      location / {
    	  
        set $flag "flag";
         #如果是指定域名的请求,设置跨域
        if ($http_origin ~* "(xxx.com|xxx.cn)") {
            add_header 'Access-Control-Allow-Origin' "$http_origin";
          add_header 'Access-Control-Allow-Credentials' 'true';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'Origin,X-Requested-With,Content-Type,Accept,Cache-Control,frLo';
          add_header 'Access-Control-Max-Age' 1728000;
        }
       
        #如果是预检请求,设置跨域后直接返回
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' "$http_origin";
          add_header 'Access-Control-Allow-Credentials' 'true';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'Origin,X-Requested-With,Content-Type,Accept,Cache-Control,frLo';
          add_header 'Access-Control-Max-Age' 1728000;
          #预检请求直接返回
          return 200;
        }
        
        
        proxy_next_upstream     http_500 http_502 http_503 http_504 error timeout invalid_header;
        proxy_set_header        Host  $host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        #设置cookie,当然也可以对以后的cookie追加SameSite=None; Secure配置
        add_header Set-Cookie 'mycookie=xxxx;Path=/;SameSite=None; Secure';
        proxy_pass              http://tomcat_server;
        expires                 0;
        fastcgi_buffer_size 128k;
		fastcgi_buffers 32 32k;
	}
		
		 
    #静态资源的处理
    location ~ .*\.(css|js|ico)$ {
		gzip on;
		gzip_min_length 1k;
		gzip_buffers 4 16k;
		gzip_comp_level 3;
		gzip_types text/plain application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png image/x-icon;
		gzip_vary on;
		gzip_disable "MSIE [1-6]\.";
    }

    location /logs/ {
        autoindex       off;
        deny all;
    }  
     
}

How to simulate a request or modify the requested domain name in Chrome

 F12 opens debugging mode, right-click on the request path, then Copy as fetch, open the Console tab, paste and press Enter, then return to the Network tab just now and you can see the request just sent in the console. Of course, in the console You can modify the domain name and request parameters.

 

 How to temporarily modify SameSite=None and Secure in Chrome browser

Then tick 

 

 Right click and edit SameSite to None.

 

 At this time, even if the page is refreshed, the edited value will not change unless the cache is cleared or the current session expires. Of course, this is related to the attributes of the Expires/Max-Age column. If it is of the Session type, the session will be restored when it expires. But this is only a temporary solution.

 Nginx adds cookies:

add_header Set-Cookie 'mycookie=xxxx;Path=/;SameSite=None; Secure';

 

Guess you like

Origin blog.csdn.net/bingxuesiyang/article/details/125258977
Recommended
Ranking
How to make the url of the picture have the download attribute and force the download. Jump browser to download automatically.
Lr CC 8.3 Installation Guide
MD5Utils (MD5 encryption tools! Unsalted)
Econ 325 (004)
Photo studio photography appointment app based on java SpringBoot and Vue uniapp
What is b
2017 Second Guangdong strong network Cup online game --Nonstandard
myeclipse8.5 add tomact7
mpeg1, mpeg2 and mpeg4 standard comparative analysis and summary
Tencent sub-sub-group 6-color program
Daily
More
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)

Code World

© 2018 codetd.com