谷歌 Chrome80 在 2月4号发布的版本(schedule)会逐渐屏蔽第三方Cookie,即默认为所有Cookie加上SameSite=Lax属性(Cookies default to SameSite=Lax),并且拒绝为不安全的Cookie设置SameSite=None属性(Reject insecure SameSite=None cookies),这样是为了从源头屏蔽跨站请求伪造CSRF(Cross Site Request Forgery)漏洞。
解决方法
方法一
通过部署第三方代理(例如nginx等)指定SameSite属性来解决跨域问题(前提:需要部署https)
修改nginx配置文件
server {listen 443 ssl;# 证书公钥文件路径ssl_certificate /xxx/xxx.pem;# 证书私钥文件路径ssl_certificate_key /xxx/xxx.key;location / {proxy_pass http://127.0.0.1:8080/;proxy_redirect default;proxy_cookie_path / "/; secure; SameSite=None";client_max_body_size 1000M;}......}
方法二
异构系统通过反向代理,配置成同域(URL的协议、域名和端口相同),然后通过nginx代理访问各系统
nginx配置如下:
#user root root;worker_processes 1events {worker_connections 1024;}http {include mime.types;default_type application/octet-stream;sendfile on;keepalive_timeout 65;server {listen 80;server_name localhost 192.168.1.3;location /a/ {proxy_pass http://192.168.1.1;proxy_set_header Host $host:$server_port;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;client_max_body_size 100m;client_body_buffer_size 128k;proxy_connect_timeout 90;proxy_send_timeout 300;proxy_read_timeout 300;proxy_buffer_size 4k;proxy_buffers 4 32k;proxy_busy_buffers_size 64k;proxy_temp_file_write_size 64k;}location /b/ {proxy_pass http://192.168.1.2;proxy_set_header Host $host:$server_port;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;client_max_body_size 100m;client_body_buffer_size 128k;proxy_connect_timeout 90;proxy_send_timeout 300;proxy_read_timeout 300;proxy_buffer_size 4k;proxy_buffers 4 32k;proxy_busy_buffers_size 64k;proxy_temp_file_write_size 64k;}error_page 500 502 503 504 /50x.html;location = /50x.html {root /usr/share/nginx/html;}}}
方法三
对于http的系统,修改chrome安全策略
1、打开chrome,输入
chrome://flags/
2、搜索
SameSite by default cookies
找到如下两项,并都设置为 Disable
SameSite by default cookiesCookies without SameSite must be secure
