2024年12月9日 · The HTTP Set-Cookie response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.

2019年5月7日 · The introduction of the SameSite attribute (defined in RFC6265bis) lets you declare whether your cookie is restricted to a first-party or same-site context. It's helpful to understand exactly what 'site' means here.

2020年4月15日 · "Same-site" and "same-origin" are frequently cited but often misunderstood terms. For example, they're used in the context of page transitions, fetch() requests, cookies, opening popups, embedded resources, and iframes.

2020年1月30日 · Lax allows the cookie to be sent on some cross-site requests, whereas Strict never allows the cookie to be sent on a cross-site request. The situations in which Lax cookies can be sent cross-site must satisfy both of the following:

2023年6月6日 · SameSite cookies are designed as a line of defence against Cross-Site Request Forgery (CSRF) attacks. To understand why SameSite cookies are useful, we first need to understand CSRF attacks. The following is an excerpt from my new book ASP.NET Core in Action, Third Edition. If you like what you see, consider picking up a copy! 🙂.

SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks.

2020年11月20日 · Schemeful Same-Site modifies the definition of a (web)site from just the registrable domain to the scheme + registrable domain. You can find more details and examples in Understanding "same-site" and "same-origin".

2021年1月8日 · Chrome is changing the default behavior for how cookies will be sent in first and third party contexts. Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax, i.e. they will be restricted to first-party or same-site contexts by default.

2022年7月11日 · SameSite=None must be used to allow cross-site cookie use. Cookies that assert SameSite=None must also be marked as Secure. Applications that use <iframe> may experience issues with sameSite=Lax or sameSite=Strict cookies because <iframe> is treated as cross-site scenarios.

2024年10月14日 · We might normally heard the terms of SameSite and CSRF, What are they on the earth, and what's the relationship between them? A cookie (also known as a web cookie or browser cookie) is a small piece of data a server sends to a user's web browser.