英文:
Why is my cookie prefixed with __Host- getting rejected by Chrome?
问题 {#heading}
我正在尝试利用cookie名称前缀约定来让浏览器帮助我设置安全的cookie。我的cookie名称是__Host-cookie
,设置如下:
__Host-cookie=value; Path=/; Expires=Fri, 11 Aug 2023 04:58:13 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Strict
然而,Chrome拒绝设置它,并在网络日志中显示以下错误:
由于在其名称中使用了"__Secure-"或"__Host-"前缀并违反了与这些前缀的cookie定义中定义的附加规则,因此阻止了通过Set-Cookie头部设置cookie的尝试。详细信息请参阅https://datatracker.ietf.org/doc/html/draft-west-cookie-prefixes-05
对我来说,cookie本身似乎没什么问题。我唯一能想到的是,由于我正在使用在我的本机上运行的服务进行测试,所以我从localhost
设置了cookie,也许这违反了IETF文档的要求:
从用户代理视为"安全"的URI设置
我原本预期localhost会被豁免,因为它免除了其他需要安全主机的约定。例如,Chrome会乐意将带有Secure
标志的cookie发送到在http://localhost
上运行的服务器。
有人看出我的cookie有什么问题吗? 英文:
I'm trying to leverage the cookie name prefix convention to get the browser to help me set secure cookies. My cookie is named __Host-cookie
and it is set like this:
__Host-cookie=value; Path=/; Expires=Fri, 11 Aug 2023 04:58:13 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Strict
However Chrome refuses to set it and shows this error in the network log:
> This attempt to set a cookie via a Set-Cookie header was blocked because it used the "__Secure-" or "__Host-" prefix in its name and broke the additional rules applied to cookies with these prefixes as defined in https://datatracker.ietf.org/doc/html/draft-west-cookie-prefixes-05
The cookie itself seems fine to me. Only thing I can think of is that because I'm testing using a service running on my own machine, I'm setting the cookie from localhost
and that maybe fails this requirement from the IETF docs
> Set from a URI whose "scheme" is considered "secure" by the user agent
I expected localhost to be exempt though since it's exempt from other conventions that require a secure host. For example Chrome will happily sent a cookie flagged Secure
to a server running on http://localhost
.
Does anyone see something wrong with my cookie?
答案1 {#1}
得分: 1
如果一个cookie的名称以"__Host-"开头,那么该cookie必须:
- 带有"Secure"属性
- 从用户代理视为"安全"的URI设置
- 仅发送到设置了cookie的主机。也就是说,从"https://example.com"设置的名为"__Host-cookie1"的cookie不得包含"Domain"属性(因此只会发送到"example.com",而不会发送到"subdomain.example.com")。
- 发送到主机的每个请求。也就是说,名为"__Host-cookie1"的cookie必须包含一个值为"/"的"Path"属性。
在你的情况下,违反了规则2,因为http://localhost
不安全。
英文:
> If a cookie's name begins with "__Host-", the cookie MUST be:
>
> 1. Set with a "Secure" attribute
> 2. Set from a URI whose "scheme" is considered "secure" by the user agent.
> 3. Sent only to the host which set the cookie. That is, a cookie named "__Host-cookie1" set from "https://example.com" MUST NOT contain a "Domain" attribute (and will therefore be sent only to "example.com", and not to "subdomain.example.com").
> 4. Sent to every request for a host. That is, a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".
In your case it violates rule 2 as http://localhost
isn't secure