51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

我的cookie为什么以__Host-为前缀而被Chrome拒绝?

英文:

Why is my cookie prefixed with __Host- getting rejected by Chrome?

问题 {#heading}

我正在尝试利用cookie名称前缀约定来让浏览器帮助我设置安全的cookie。我的cookie名称是__Host-cookie,设置如下:

__Host-cookie=value; Path=/; Expires=Fri, 11 Aug 2023 04:58:13 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Strict

然而,Chrome拒绝设置它,并在网络日志中显示以下错误:

由于在其名称中使用了"__Secure-"或"__Host-"前缀并违反了与这些前缀的cookie定义中定义的附加规则,因此阻止了通过Set-Cookie头部设置cookie的尝试。详细信息请参阅https://datatracker.ietf.org/doc/html/draft-west-cookie-prefixes-05

对我来说,cookie本身似乎没什么问题。我唯一能想到的是,由于我正在使用在我的本机上运行的服务进行测试,所以我从localhost设置了cookie,也许这违反了IETF文档的要求:

从用户代理视为"安全"的URI设置

我原本预期localhost会被豁免,因为它免除了其他需要安全主机的约定。例如,Chrome会乐意将带有Secure标志的cookie发送到在http://localhost上运行的服务器。

有人看出我的cookie有什么问题吗? 英文:

I'm trying to leverage the cookie name prefix convention to get the browser to help me set secure cookies. My cookie is named __Host-cookie and it is set like this:

__Host-cookie=value; Path=/; Expires=Fri, 11 Aug 2023 04:58:13 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Strict

However Chrome refuses to set it and shows this error in the network log:

> This attempt to set a cookie via a Set-Cookie header was blocked because it used the "__Secure-" or "__Host-" prefix in its name and broke the additional rules applied to cookies with these prefixes as defined in https://datatracker.ietf.org/doc/html/draft-west-cookie-prefixes-05

The cookie itself seems fine to me. Only thing I can think of is that because I'm testing using a service running on my own machine, I'm setting the cookie from localhost and that maybe fails this requirement from the IETF docs
> Set from a URI whose "scheme" is considered "secure" by the user agent

I expected localhost to be exempt though since it's exempt from other conventions that require a secure host. For example Chrome will happily sent a cookie flagged Secure to a server running on http://localhost.

Does anyone see something wrong with my cookie?

答案1 {#1}

得分: 1

如果一个cookie的名称以"__Host-"开头,那么该cookie必须:

  1. 带有"Secure"属性
  2. 从用户代理视为"安全"的URI设置
  3. 仅发送到设置了cookie的主机。也就是说,从"https://example.com"设置的名为"__Host-cookie1"的cookie不得包含"Domain"属性(因此只会发送到"example.com",而不会发送到"subdomain.example.com")。
  4. 发送到主机的每个请求。也就是说,名为"__Host-cookie1"的cookie必须包含一个值为"/"的"Path"属性。

在你的情况下,违反了规则2,因为http://localhost不安全。 英文:

> If a cookie's name begins with "__Host-", the cookie MUST be:
>
> 1. Set with a "Secure" attribute
> 2. Set from a URI whose "scheme" is considered "secure" by the user agent.
> 3. Sent only to the host which set the cookie. That is, a cookie named "__Host-cookie1" set from "https://example.com" MUST NOT contain a "Domain" attribute (and will therefore be sent only to "example.com", and not to "subdomain.example.com").
> 4. Sent to every request for a host. That is, a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".

In your case it violates rule 2 as http://localhost isn't secure


赞(1)
未经允许不得转载:工具盒子 » 我的cookie为什么以__Host-为前缀而被Chrome拒绝?