当前位置: 文江博客话题详情

HttpOnly Cookie 和获取

发布于 2025-01-20 10:23:49 字数 204 浏览 1 评论 0原文

如果{凭据:“ inclage”}存在于选项中,是否会使用fetch api发送带有httponly and Secure属性的cookie?

fetch("https://some.url", {
  mode: "same-origin",
  credentials: "include",
  redirect: "manual"
})
原文

Will a cookie with the HttpOnly and Secure attributes be sent using Fetch API in case {credentials: "include"} is present in options?

fetch("https://some.url", {
  mode: "same-origin",
  credentials: "include",
  redirect: "manual"
})

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

鱼窥荷 2025-01-27 10:23:49

有几种条件必须满足,但是是的。

  1. 客户端以凭证的提取请求初始化:'include'。有关更多详细信息,请参见[此处] [1]。
  2. 要执行CORS,服务器响应标头必须包含访问控制 - 允许 - 原始明确设置为域,可能与服务器域不同。例如,在单页应用架构中,您的前端站点临时托管在Localhost:3000,而您的后端服务器则托管在Localhost:8000,然后标题应为access> access-control-control-allow-allow-origin:http:http:http:http:http:http:http:http:http:http:http:http:http:http:http:http: // localhost:3000。请参阅[此处] [2]和[此处] [3]。
  3. 要允许客户端处理Cookie,这显然是一种敏感的资源,服务器响应标头必须进一步包含access-control-wall-allow-Credentials:true。参见[此处] [4]。请注意,这为access-control-allow-Origin强制执行非Wildcard设置。请参阅[此处] [6] - 这就是为什么在上面的第2点中,必须将其明确设置为http:// localhost:3000而不是*
  4. 服务器设置cookie时,必须包括samesite = none;安全的; httponly。因此,总体而言,例如set-cookie:session_id = 12345; samesite = none;安全的; httponlysamesite似乎是最新浏览器中的相对[新要求] [5],当samesite设置为secure时,必须一起使用
  5. 关于httponly,我没有找到相关材料,但是在我的实验中,省略它导致浏览器忽略set> set-cookie header。 li>
  6. 进一步向后端服务器的请求也必须具有凭据:'include' set。

来源: https://stackoverflow.com/a/a/67001424/368691

There are several conditions that have to be met, but yes they are.

  1. Client initializes asynchronously a fetch request with credentials: 'include'. See [here][1] for more details.
  2. To do CORS, server response header must contain Access-Control-Allow-Origin explicitly set to a domain, could be different from the server domain. For example, in a Single-Page-App architecture, your frontend site is temporarily hosted at localhost:3000 and your backend server hosted at localhost:8000, then the header should be Access-Control-Allow-Origin: http://localhost:3000. See [here][2] and [here][3].
  3. To allow client to process cookies, which is obviously a sensitive resource, server response header must further contain Access-Control-Allow-Credentials: true. See [here][4]. Note that this enforces a non-wildcard setting for Access-Control-Allow-Origin. See [here][6] - that's why in point 2 above, it has to be explicitly set to something like http://localhost:3000 rather than *
  4. When server sets the cookie, it has to include SameSite=None; Secure; HttpOnly. So overall something like Set-Cookie: session_id=12345; SameSite=None; Secure; HttpOnly. SameSite seems to be a relatively [new requirement][5] in latest browsers, and must be used with Secure together when SameSite is set to None.
  5. With regard to HttpOnly, I haven't found relevant materials, but in my experiment, omitting it caused the browser to ignore the Set-Cookie header.
  6. Further requests to the backend server also must have credentials: 'include' set.

Source: https://stackoverflow.com/a/67001424/368691

回复 原文
~没有更多了~

关于作者

如梦初醒的夏天

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

十二

文章 0 评论 0

飞烟轻若梦

文章 0 评论 0

OPleyuhuo

文章 0 评论 0

wxb0109

文章 0 评论 0

旧城空念

文章 0 评论 0

-小熊_

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文