diff options
Diffstat (limited to 'files/de/web/http/headers/set-cookie/samesite/index.html')
| -rw-r--r-- | files/de/web/http/headers/set-cookie/samesite/index.html | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/files/de/web/http/headers/set-cookie/samesite/index.html b/files/de/web/http/headers/set-cookie/samesite/index.html new file mode 100644 index 0000000000..51879c388d --- /dev/null +++ b/files/de/web/http/headers/set-cookie/samesite/index.html @@ -0,0 +1,135 @@ +--- +title: SameSite cookies +slug: Web/HTTP/Headers/Set-Cookie/SameSite +tags: + - HATTP + - IT +translation_of: Web/HTTP/Headers/Set-Cookie/SameSite +--- +<div>{{HTTPSidebar}}</div> + +<p><span class="seoSummary">The <strong><code>SameSite</code></strong> attribute of the {{HTTPHeader("Set-Cookie")}} HTTP response header allows you to declare if your cookie should be restricted to a <a href="/en-US/docs/Web/HTTP/Cookies#Third-party_cookies">first-party</a> or same-site context. </span></p> + +<div class="blockIndicator note"> +<p>Standards related to the Cookie <code>SameSite</code> attribute recently changed such that:</p> + +<ul> + <li>The cookie-sending behaviour if <code>SameSite</code> is not specified is <code>SameSite=Lax</code>. Previously the default was that cookies were sent for all requests.</li> + <li>Cookies with <code>SameSite=None</code> must now also specify the <code>Secure</code> attribute (they require a secure context/HTTPS).</li> +</ul> + +<p>This article documents the new standard. See <a href="#Browser_compatibility">Browser Compatibility</a> below for information about specific versions where the behaviour changed.</p> +</div> + +<h2 id="Values">Values</h2> + +<p>The <code>SameSite</code> attribute accepts three values:</p> + +<h3 id="Lax"><code>Lax</code></h3> + +<p>Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is <em>navigating to</em> the origin site (i.e. when following a link).</p> + +<p>This is the default cookie value if <code>SameSite</code> has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).</p> + +<div class="blockIndicator note"> +<p><code>Lax</code> replaced <code>None</code> as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery ({{Glossary("CSRF")}}) attacks.</p> +</div> + +<h3 id="Strict"><code>Strict</code></h3> + +<p>Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.</p> + +<h3 id="None"><code>None</code></h3> + +<p>Cookies will be sent in all contexts, i.e in responses to both first-party and cross-origin requests.If <code>SameSite=None</code> is set, the cookie <a href="/en-US/docs/Web/HTTP/Headers/Set-Cookie#Secure"><code>Secure</code></a> attribute must also be set (or the cookie will be blocked).</p> + +<h2 id="Fixing_common_warnings">Fixing common warnings</h2> + +<h3 id="SameSiteNone_requires_Secure"><code>SameSite=None</code> requires <code>Secure</code></h3> + +<p>Warnings like the ones below might appear in your console:</p> + +<pre class="syntaxbox notranslate">Cookie “<em>myCookie</em>” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute. + +This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".</pre> + +<p>The warning appears because any cookie that requests <code>SameSite=None</code> but is not marked <code>Secure</code> will be rejected.</p> + +<pre class="example-bad notranslate">Set-Cookie: flavor=choco; SameSite=None</pre> + +<p>To fix this, you will have to add the <code>Secure</code> attribute to your <code>SameSite=None</code> cookies.</p> + +<pre class="example-good notranslate">Set-Cookie: flavor=choco; SameSite=None; <strong>Secure</strong></pre> + +<p>A <a href="#Secure"><code>Secure</code></a> cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (<code>http:</code>) can't set cookies with the <code>Secure</code> directive.</p> + +<div class="blockIndicator note"> +<p>On older browser versions you might simply get a warning that the cookie will be blocked in future. For example:</p> + +<pre class="syntaxbox notranslate">Cookie “<em>myCookie</em>” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite” attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite +</pre> +</div> + +<h3 id="Cookies_without_SameSite_default_to_SameSiteLax">Cookies without <code>SameSite</code> default to <code>SameSite=Lax</code></h3> + +<p>Recent versions of modern browsers provide a more secure default for <code>SameSite</code> to your cookies and so the following message might appear in your console:</p> + +<pre class="syntaxbox notranslate">Cookie “<em>myCookie</em>” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. +</pre> + +<p>The warning appears because the <code>SameSite</code> policy for a cookie was not explicitly specified:</p> + +<pre class="example-bad notranslate">Set-Cookie: flavor=choco</pre> + +<p>You should explicitly communicate the intended <code>SameSite</code> policy for your cookie (rather than relying on browsers to apply <code>SameSite=Lax</code> automatically). This will also improve the experience across browsers as not all of them default to <code>Lax</code> yet.</p> + +<pre class="example-good notranslate">Set-Cookie: flavor=choco; <strong>SameSite=Lax</strong></pre> + +<h2 id="Example"><strong>Example:</strong></h2> + +<pre class="notranslate">RewriteEngine on +RewriteBase "/" +RewriteCond "%{HTTP_HOST}" "^example\.org$" [NC] +RewriteRule "^(.*)" "https://www.example.org/index.html" [R=301,L,QSA] +RewriteRule "^(.*)\.ht$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;01;https://www.example.org;30/;SameSite=None;Secure] +RewriteRule "^(.*)\.htm$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;02;https://www.example.org;30/;SameSite=None;Secure] +RewriteRule "^(.*)\.html$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;03;https://www.example.org;30/;SameSite=None;Secure] +[...] +RewriteRule "^admin/(.*)\.html$" "admin/index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;09;https://www.example.org:30/;SameSite=Strict;Secure] +</pre> + +<h2 id="Specifications">Specifications</h2> + +<table class="standard-table"> + <thead> + <tr> + <th scope="col">Specification</th> + <th scope="col">Title</th> + </tr> + </thead> + <tbody> + <tr> + <td>{{RFC("6265", "Set-Cookie", "4.1")}}</td> + <td>HTTP State Management Mechanism</td> + </tr> + <tr> + <td><a href="https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05">draft-ietf-httpbis-rfc6265bis-05</a></td> + <td>Cookie Prefixes, Same-Site Cookies, and Strict Secure Cookies</td> + </tr> + </tbody> +</table> + +<h2 id="Browser_compatibility">Browser compatibility</h2> + +<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p> + +<p>{{Compat("http.headers.Set-Cookie", 5)}}</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li><a href="/en-US/docs/Web/HTTP/Cookies">HTTP cookies</a></li> + <li>{{HTTPHeader("Cookie")}}</li> + <li>{{domxref("Document.cookie")}}</li> + <li><a href="https://web.dev/samesite-cookies-explained/">Samesite cookies explained</a> (web.dev blog)</li> +</ul> |