SameSite

SameSite

关注
发信
关注(28)粉丝(399)

SameSite =无,带有IE11中的安全破坏iFrame

本文介绍了SameSite =无,带有IE11中的安全破坏iFrame的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

随着最近的更改,SameSite cookie属性似乎正在使我的网站陷入困境。以前在我的网站上运行过的跨浏览器iframe现在已损坏-即使使用SameSite = None;安全地通过响应头中的iFrame传递。

With the recent changes it seems that SameSite cookie attributes are throwing a wrench into my website now. A cross-browser iframe that was working before on my site is now broken - even with the SameSite=None; Secure being passed through the iFrame in the response header.

我看到的报道与说Windows 7不支持SameSite = none的人截然不同。其他人说安全性正在破坏或没有破坏它。但是,即使是当前的Microsoft文档,也没有确切说明Win7 IE11对SameSite = None的反应。

I've seen very different reports from people saying Windows 7 doesn't support SameSite=none. Others saying the Secure is breaking or not breaking it. But even the current Microsoft documentation doesn't lay out exactly how Win7 IE11 should react to SameSite=None.

这时我正在寻找一些技巧或窍门。任何可以协助的人。我已尽我所能。这种方法以前有效,现在突然阻止了iFrame并抛出500错误。

At this point I'm looking for some tips or tricks from anyone who could assist. I've done everything I can think of. This worked before and now suddenly is blocking out the iFrame and throwing a 500 error. Could the order of the set-cookie be causing this?

通过某些浏览器测试,我发现以下内容:

  • Windows 10 -IE11损坏,Edge损坏,Edge(beta)可工作

  • Windows 8.1-IE11 可工作,Edge(beta) Works

  • Windows 8-IE11损坏,Edge(beta)工作

  • Windows 7-IE11损坏,No Edge

    • From some browser testing I've found the following:

  • Windows 10 - IE11 broken, Edge broken, Edge(beta) works
  • Windows 8.1 - IE11 works, Edge(beta) works
  • Windows 8 - IE11 broken, Edge(beta) works
  • Windows 7 - IE11 broken, No Edge

    • Set-Cookie响应标头:

    Set-Cookie MySitePersistence = 436457226.47873.0000 ;路径= /; httponly;安全; SameSite = none;安全

    The Set-Cookie response header:
    Set-Cookie MySitePersistence=436457226.47873.0000; path=/; httponly; secure; SameSite=none; Secure

    我尝试使用

    < add input直接将IE作为重写前提条件= {RESPONSE_Set_Cookie} pattern =。 />

    <添加输入= {RESPONSE_Set_Cookie} pattern =; SameSite = none negate = true />

    <添加输入= {HTTP_USER_AGENT} pattern = ^。* MSIE([0-9] {1,} [\\ \.0-9] {0,})*。* $ negate = true />

    < add input = {HTTP_USER_AGENT} pattern = ^。* Trident /.* rv:([0-9] {1,} [\\.0-9] {0,})*。* $ negate = true />

    推荐答案

    之所以会出现此问题,是因为Asp.NET_SessionID cookie始终未发送Cookie的新变化,并且该cookie现在具有 SameSite = Lax 属性。

    The issue occurs because Asp.NET_SessionID cookie was not being sent always due to new changes in cookies and the cookie now had a SameSite=Lax attribute.

    您可以通过在 web.config 中添加会话Cookie的SameSite属性为

    You could set the SameSite property for the session cookie to "None" by adding this in web.config: 

    <system.web>
     <sessionState cookieSameSite="None" />
</system.web>

    使用出站规则(SameSite = None; Secure)可以使用。您可以参考

    (2)

    (3)

    这篇关于SameSite =无,带有IE11中的安全破坏iFrame的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

    09-11 21:31
    Powered by LMLPHP ©2024 SameSite 0.032487