当前位置: 文江博客话题详情

ASP.NET MVC 3身份验证cookie无法在iframe上工作

发布于 2025-01-17 18:04:29 字数 779 浏览 0 评论 0原文

我们正在分发一个 ASP.NET MVC 3.0 应用程序(C# 和 .NET 4.0),一些客户在其上有一个 iframe 进行一些自定义,但现在它已停止工作。我认为这与我们所做的一些安全更改有关:

  • 将“Content-Security-Policy”设置为“frame-ancestors 'self'”

  • 强制cookie属性(在global.asax.cs中,因为在4.0中没有任何其他方法可以设置相同的站点属性):

    • SameSite:严格
    • 安全:正确
    • 仅 Http:true

删除“Content-Security-Policy”和 cookie 重写后规则它已经起作用了。但是,当我尝试验证(用户/密码)时,不会发送验证 cookie,并且我无法重写它们,因为它们不随请求一起提供。

我在网络请求/响应的 Cookie 选项卡上看到以下消息: “通过 Set-Cookie 标头设置 cookie 的尝试被阻止,因为它具有“SameSite=Lax”属性,但来自跨站点响应,而不是对顶级导航的响应”。

我读到它与“最近的”浏览器安全更新和/或 Windows/ASP.NET 安全补丁有关,但经过一些研究,没有任何解决方案适合我......

在此处输入图像描述

原文

We are distributing an ASP.NET MVC 3.0 application (C# and .NET 4.0), and some customers had an iframe over it for some customizations, but now it has stopped working. I thought that it was related with some security changes we have made:

  • Set "Content-Security-Policy" to "frame-ancestors 'self'"

  • Force cookies properties (in global.asax.cs cause in 4.0 there isn't any other way to set the samesite property):

    • SameSite: Strict
    • Secure: true
    • HttpOnly: true

And after remove "Content-Security-Policy" and the cookie rewriting rule it has worked. But then, when I try to authenticate (user/password) the authentication cookie is not sent, and I can't rewrite them because they don't come with the request.

I see the following message on Cookie tab of network request/response:
"This attempt to set a cookie via a Set-Cookie header was blocked because it had the "SameSite=Lax" attibute but came from a cross-site response which was not the response to a top-level navigation".

I've read that it's related with "recent" browsers security updates and/or Windows/ASP.NET security patches, but after some research no solutions worked for me...

enter image description here

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

夜司空 2025-01-24 18:04:29

我找到了解决方案:

  1. 升级到.NET Framework 4.7.2:好的,我使用4.0,我计划今年升级到4.8。我已经在分支上进行了测试,并更改了该框架的一些新cookie属性。

  2. 但是,我有一个在我们网站上使用iframe的客户,而且迁移至4.8并不容易,因此我找到了使用IIS的URL重写模块的解决方案。而且,我提供了一个用于内容安全策略的规则,以添加我的()iframe页面主机。我遵循了这些链接:

那个客户:

<rewrite>
    <outboundRules>
        <preConditions>
            <!-- Checks User Agent to identify browsers incompatible with SameSite=None -->
            <preCondition name="IncompatibleWithSameSiteNone" logicalGrouping="MatchAny">
                <add input="{HTTP_USER_AGENT}" pattern="(CPU iPhone OS 12)|(iPad; CPU OS 12)" />
                <add input="{HTTP_USER_AGENT}" pattern="(Chrome/5)|(Chrome/6)" />
                <add input="{HTTP_USER_AGENT}" pattern="( OS X 10_14).*(Version/).*((Safari)|(KHTML, like Gecko)$)" />
            </preCondition>
        </preConditions>
    
        <!-- Adds or changes SameSite to None for the session cookie -->
        <!-- Note that secure header is also required by Chrome and should not be added here -->
        <rule name="SessionCookieAddNoneHeader">
            <!-- Use this regex if your OS/framework/app adds SameSite=Lax automatically to the end of the cookie -->
            <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId[^=]*)(=.*))(?=SameSite)" />
            <action type="Rewrite" value="{R:1}; SameSite=None; Secure=true" />
        </rule>
        <!-- Adds or changes SameSite to None for the session cookie -->
        <!-- Note that secure header is also required by Chrome and should not be added here -->
        <rule name="FormsCookieAddNoneHeader">
            <!-- Use this regex if your OS/framework/app adds SameSite=Lax automatically to the end of the cookie -->
            <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASPXFORMSAUTH[^=]*)(=.*))(?=SameSite)" />
            <action type="Rewrite" value="{R:1}; SameSite=None; Secure=true" />
        </rule>
        <rule name="RewriteContentSecurityPolicy">
            <match serverVariable="RESPONSE_Content-Security-Policy" pattern="(.*)" />
            <action type="Rewrite" value="{R:0} iframehost" />
        </rule>
    
        <!-- Removes SameSite=None header from all cookies, for most incompatible browsers -->
        <rule name="CookieRemoveSameSiteNone" preCondition="IncompatibleWithSameSiteNone">
            <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=None)" />
            <action type="Rewrite" value="{R:1}" />
        </rule>
    </outboundRules>
</rewrite>

I've found the solution(s):

  1. Upgrade to .NET Framework 4.7.2: Ok, I'm on 4.0, and I've plans to upgrade to 4.8 this year. I've tested on a branch, and changing some of the new cookie properties of that framework, it works.

  2. But I've a customer that is using iframes over our website, and it isn't easy neither fast to migrate to 4.8, so I've found the solution with the URL Rewrite module of IIS. And I've included a rule for Content Security Policy to add my (their) iFrame page host. I've followed those links:

And my latest version of web.config for that customer:

<rewrite>
    <outboundRules>
        <preConditions>
            <!-- Checks User Agent to identify browsers incompatible with SameSite=None -->
            <preCondition name="IncompatibleWithSameSiteNone" logicalGrouping="MatchAny">
                <add input="{HTTP_USER_AGENT}" pattern="(CPU iPhone OS 12)|(iPad; CPU OS 12)" />
                <add input="{HTTP_USER_AGENT}" pattern="(Chrome/5)|(Chrome/6)" />
                <add input="{HTTP_USER_AGENT}" pattern="( OS X 10_14).*(Version/).*((Safari)|(KHTML, like Gecko)$)" />
            </preCondition>
        </preConditions>
    
        <!-- Adds or changes SameSite to None for the session cookie -->
        <!-- Note that secure header is also required by Chrome and should not be added here -->
        <rule name="SessionCookieAddNoneHeader">
            <!-- Use this regex if your OS/framework/app adds SameSite=Lax automatically to the end of the cookie -->
            <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASP.NET_SessionId[^=]*)(=.*))(?=SameSite)" />
            <action type="Rewrite" value="{R:1}; SameSite=None; Secure=true" />
        </rule>
        <!-- Adds or changes SameSite to None for the session cookie -->
        <!-- Note that secure header is also required by Chrome and should not be added here -->
        <rule name="FormsCookieAddNoneHeader">
            <!-- Use this regex if your OS/framework/app adds SameSite=Lax automatically to the end of the cookie -->
            <match serverVariable="RESPONSE_Set-Cookie" pattern="((.*)(ASPXFORMSAUTH[^=]*)(=.*))(?=SameSite)" />
            <action type="Rewrite" value="{R:1}; SameSite=None; Secure=true" />
        </rule>
        <rule name="RewriteContentSecurityPolicy">
            <match serverVariable="RESPONSE_Content-Security-Policy" pattern="(.*)" />
            <action type="Rewrite" value="{R:0} iframehost" />
        </rule>
    
        <!-- Removes SameSite=None header from all cookies, for most incompatible browsers -->
        <rule name="CookieRemoveSameSiteNone" preCondition="IncompatibleWithSameSiteNone">
            <match serverVariable="RESPONSE_Set-Cookie" pattern="(.*)(SameSite=None)" />
            <action type="Rewrite" value="{R:1}" />
        </rule>
    </outboundRules>
</rewrite>
回复 原文
~没有更多了~

关于作者

书间行客

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

月下凄凉

文章 0 评论 0

toutuxuethreejs

文章 0 评论 0

回首观望

文章 0 评论 0

蓝戈者

文章 0 评论 0

开飞机的贝塔β

文章 0 评论 0

zyxwd

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文