Published by powerfulyang on Apr 8, 2022
Cookie 是由 Set-Cookie: NAME=VALUE; Expires=DATE; Path=PATH; Domain=DOMAIN_NAME;SECURE 组成
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
SameSite attribute of the
Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.
Note: Standards related to the Cookie
SameSite attribute recently changed such that:
- The cookie-sending behavior if
SameSiteis not specified is
SameSite=Lax. Previously the default was that cookies were sent for all requests.
- Cookies with
SameSite=Nonemust now also specify the
Secureattribute (they require a secure context/HTTPS).
- Cookies from the same domain are no longer considered to be from the same site if sent using a different scheme (
SameSite attribute accepts three values:
Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
This is the default cookie value if
SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).
None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-origin requests. If
SameSite=None is set, the cookie
Secure attribute must also be set (or the cookie will be blocked).
Warnings like the ones below might appear in your console:
Cookie "myCookie" rejected because it has the "SameSite=None" attribute but is missing the "secure" attribute.
This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".
The warning appears because any cookie that requests
SameSite=None but is not marked
Secure will be rejected.
Set-Cookie: flavor=choco; SameSite=None
Copy to Clipboard
To fix this, you will have to add the
Secure attribute to your
Set-Cookie: flavor=choco; SameSite=None; Secure
Copy to Clipboard
Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (
http:) can't set cookies with the
Note: On older browser versions you might get a warning that the cookie will be blocked in future. For example:
myCookie will be soon rejected because it has the
SameSite attribute set to
None or an invalid value, without the
Recent versions of modern browsers provide a more secure default for
SameSite to your cookies and so the following message might appear in your console:
Cookie "myCookie" has "SameSite" policy set to "Lax" because it is missing a "SameSite" attribute, and "SameSite=Lax" is the default value for this attribute.
The warning appears because the
SameSite policy for a cookie was not explicitly specified:
Copy to Clipboard
You should explicitly communicate the intended
SameSite policy for your cookie (rather than relying on browsers to apply
SameSite=Lax automatically). This will also improve the experience across browsers as not all of them default to
Set-Cookie: flavor=choco; SameSite=Lax