google-chrome - SameSite cookie、框架、子域和重定向

上面的答案是不正确的......让我澄清一些困惑。

1. 就 SameSite 而言，2 个站点何时是“同一站点”？

无论 cookie 的域属性如何，当两个站点的 eTLD+1（又名可注册域）相同时，它们都被视为相同。有关更详细的说明，请参阅我的答案。

因此，在这种情况下，假设 eTLD 是“.com”，我们会认为 auth.mysite.com 和 main.mysite.com 是同一个站点，因为 eTLD+1 对它们来说都是 mysite.com。另一方面，anything.mysite.com 和 othersite.com 始终是跨站点的。无论是顶级导航还是子资源请求（如 iframe 中的图像或文档），都是如此。

2、Domain属性是什么意思？

If a cookie is set with Set-Cookie: cookiename=cookievalue; Domain=mysite.com, then the cookie will be sent on requests to any domain matching *.mysite.com (i.e. all subdomains).

This is a way to adjust the scope of a cookie. For example, you could use Domain=mysite.com for a global cookie that all of your domains care about, and Domain=corp.mysite.com for a cookie that all of your company's internal domains care about (but not your external-facing domains, for example).

The default (for cookies that don't explicitly set a Domain attribute) is that cookies are sent only to the domain that set the cookie. (No subdomains.)

You cannot set a Domain attribute that does not match the URL of the request.

(Also, there is no such thing as an "origin" attribute of a cookie.)

3. So what does Domain have to do with SameSite?

Nothing. They are independent cookie attributes. Domain doesn't care about the same-site/cross-site context, and SameSite doesn't care about domain/subdomain scope of the cookie.

4. When mysite.com is embedded in an iframe on othersite.com, why are default-Lax cookies not sent?

This is considered a cross-site context, because the site in the user's URL bar is othersite.com whereas the request is made to mysite.com, and these have two different eTLD+1's.

Because it's in an iframe, this is not a top-level navigation, so all cross-site requests will exclude SameSite cookies.

如果它是顶级导航（用户单击将他们从 othersite.com 带到 mysite.com 的链接），那么请求方法很重要。在绝大多数情况下，这将是一个 GET 请求，因此将发送 Lax 模式的 cookie。

希望这可以帮助！您可以参考最新版本的规范了解更多详细信息。