浏览器同源政策及其规避方法
跨域资源共享 CORS 详解
Cookie 的 SameSite 属性
当跨域遇到Cookie与SameSite
Cross-Site Request Forgery is dead!
前端:
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
后端返回的response中增加这些字段
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:8080 (必须与请求网页一致的域名)
Access-Control-Expose-Headers: Origin
满足这些要求后还不一定能发送Cookie,需要注意Cookie中的SameSite字段。
文章中说Chrome80已经将SameSite默认设置为Lax。从Firefox 69开始进行测试,后续的版本也会将SameSite设置为Lax。
chrome官方文档说76版本已经开始SameSite默认设置为Lax
Cookies default to SameSite=Lax Network / Connectivity
我目前的版本chrome版本 81.0.4044.113 (正式版本),Cookie未设置SameSite,使用ajax发送get,post请求,可以发送cookie
跨域请求console中打印的警告信息 。
A cookie associated with a cross-site resource at http://127.0.0.1/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests
if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
前端html
<html>
<head>
<script type="text/javascript">
function loadXMLDoc()
{
var xmlhttp;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
console.log(xmlhttp.responseText);
}
}
xmlhttp.open("GET","http://127.0.0.1:8082/test/post",true);
//xmlhttp.open("POST","http://127.0.0.1:8082/test/post",true);
xmlhttp.withCredentials = true;
xmlhttp.send();
}
</script>
</head>
<body>
<h2>AJAX</h2>
<button type="button" onclick="loadXMLDoc()">cors</button>
<div id="myDiv"></div>
</body>
</html>
request和response
