当前位置:网站首页>After the 80 version of Google browser, how to deal with the problem samesite cross domain problem

After the 80 version of Google browser, how to deal with the problem samesite cross domain problem

2022-06-21 19:34:00 pocher

Google browser 80 After the version , What happened :

Situation 1 :

If the domain name in the address bar is aaa.com, And the corresponding Ajax So is the request aaa.com, Then you can put aaa.com Under the cookie To any aaa.com Domain name request , such as : Sign in aaa.com When the cookie( hypothesis cookie by token=123), stay Ajax call aaa.com/api/queryUser Interface can be used to cookie Pass on the past , Regardless of the corresponding cookie Is there any setting Secure And SameSite=None.

Situation two :

If the domain name in the address bar is aaa.com, And the corresponding Ajax The request is bbb.com, Then you can put bbb.com Under the cookie To any bbb.com Domain name request , such as : Sign in bbb.com When the cookie( hypothesis cookie by token=123), stay Ajax call bbb.com/api/queryUser Interface can be used to cookie Pass on the past , But the premise is token=123 This cookie You have to set Secure And SameSite=None attribute , Otherwise, even if it is the same domain name cookie It is also undeliverable . Be careful : Here is the address bar aaa.com, What I visited was bbb.com/api/queryUser, Cross domain words , Even with Secure And SameSite=None, You can't do it .

  complete Nginx To configure :

upstream tomcat_server {
                server 127.0.0.1:8001  weight=10 max_fails=2 fail_timeout=30s;
}


log_format newmain '$remote_addr - "$http_x_forwarded_for" - "$http_j_forwarded_for" - $remote_user [$time_local]'
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
# Current limiting module 
limit_req_zone $binary_remote_addr zone=ip_limit_index:20m rate=500000r/s;

server
{
      listen 80;

      server_name              www.xxx.com ;
     access_log               /export/xxx/nginx/logs/www.xxx.com/www.xxx.com_access.log main;
      error_log                /export/xxx/nginx/logs/www.xxx.com/www.xxx.com_error.log warn;
      error_page 411 = @error_page;

      root /export/App/www.xxx.com/;   
      
      location / {
    	  
        set $flag "flag";
         # If it is a request to specify a domain name , Set up cross domain 
        if ($http_origin ~* "(xxx.com|xxx.cn)") {
            add_header 'Access-Control-Allow-Origin' "$http_origin";
          add_header 'Access-Control-Allow-Credentials' 'true';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'Origin,X-Requested-With,Content-Type,Accept,Cache-Control,frLo';
          add_header 'Access-Control-Max-Age' 1728000;
        }
       
        # If it's a pre inspection request , After setting the cross domain, return directly to 
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' "$http_origin";
          add_header 'Access-Control-Allow-Credentials' 'true';
          add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'Origin,X-Requested-With,Content-Type,Accept,Cache-Control,frLo';
          add_header 'Access-Control-Max-Age' 1728000;
          # Pre inspection request returned directly 
          return 200;
        }
        
        
        proxy_next_upstream     http_500 http_502 http_503 http_504 error timeout invalid_header;
        proxy_set_header        Host  $host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        # Set up cookie, Of course, it can also be used for future cookie Additional SameSite=None; Secure To configure 
        add_header Set-Cookie 'mycookie=xxxx;Path=/;SameSite=None; Secure';
        proxy_pass              http://tomcat_server;
        expires                 0;
        fastcgi_buffer_size 128k;
		fastcgi_buffers 32 32k;
	}
		
		 
    # Processing of static resources 
    location ~ .*\.(css|js|ico)$ {
		gzip on;
		gzip_min_length 1k;
		gzip_buffers 4 16k;
		gzip_comp_level 3;
		gzip_types text/plain application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png image/x-icon;
		gzip_vary on;
		gzip_disable "MSIE [1-6]\.";
    }

    location /logs/ {
        autoindex       off;
        deny all;
    }  
     
}

How to be in Chrome Simulate or modify the domain name of the request in the browser

 F12 Turn on debug mode , Right click on the request path , then Copy as fetch, open Console TAB , Paste and return , Go back to just now Network On the tab, you can see just now console Request sent in , Of course console You can modify the domain name and the requested parameters .

 

  How to be in Chrome Temporary modification in the browser SameSite=None and Secure

Then tick it  

 

  Right click editing SameSite by None,

 

  At this point, even if the page is refreshed, the edited value will not change , Unless the cache is clear or the current session expires . Of course, this is different from Expires/Max-Age The properties of this column are related to , If it is Session The type is restore after the session expires . But this is only a temporary plan .

 Nginx newly added cookie:

add_header Set-Cookie 'mycookie=xxxx;Path=/;SameSite=None; Secure';

 

原网站

版权声明
本文为[pocher]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/172/202206211759568677.html

边栏推荐

猜你喜欢

随机推荐