diff options
Diffstat (limited to 'files/de/web/http/headers/set-cookie/samesite/index.html')
| -rw-r--r-- | files/de/web/http/headers/set-cookie/samesite/index.html | 133 |
1 files changed, 0 insertions, 133 deletions
diff --git a/files/de/web/http/headers/set-cookie/samesite/index.html b/files/de/web/http/headers/set-cookie/samesite/index.html deleted file mode 100644 index 84e0b68380..0000000000 --- a/files/de/web/http/headers/set-cookie/samesite/index.html +++ /dev/null @@ -1,133 +0,0 @@ ---- -title: SameSite cookies -slug: Web/HTTP/Headers/Set-Cookie/SameSite -tags: - - HATTP - - IT -translation_of: Web/HTTP/Headers/Set-Cookie/SameSite ---- -<div>{{HTTPSidebar}}</div> - -<p><span class="seoSummary">The <strong><code>SameSite</code></strong> attribute of the {{HTTPHeader("Set-Cookie")}} HTTP response header allows you to declare if your cookie should be restricted to a <a href="/en-US/docs/Web/HTTP/Cookies#Third-party_cookies">first-party</a> or same-site context. </span></p> - -<div class="blockIndicator note"> -<p>Standards related to the Cookie <code>SameSite</code> attribute recently changed such that:</p> - -<ul> - <li>The cookie-sending behaviour if <code>SameSite</code> is not specified is <code>SameSite=Lax</code>. Previously the default was that cookies were sent for all requests.</li> - <li>Cookies with <code>SameSite=None</code> must now also specify the <code>Secure</code> attribute (they require a secure context/HTTPS).</li> -</ul> - -<p>This article documents the new standard. See <a href="#Browser_compatibility">Browser Compatibility</a> below for information about specific versions where the behaviour changed.</p> -</div> - -<h2 id="Values">Values</h2> - -<p>The <code>SameSite</code> attribute accepts three values:</p> - -<h3 id="Lax"><code>Lax</code></h3> - -<p>Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is <em>navigating to</em> the origin site (i.e. when following a link).</p> - -<p>This is the default cookie value if <code>SameSite</code> has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).</p> - -<div class="blockIndicator note"> -<p><code>Lax</code> replaced <code>None</code> as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery ({{Glossary("CSRF")}}) attacks.</p> -</div> - -<h3 id="Strict"><code>Strict</code></h3> - -<p>Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.</p> - -<h3 id="None"><code>None</code></h3> - -<p>Cookies will be sent in all contexts, i.e in responses to both first-party and cross-origin requests.If <code>SameSite=None</code> is set, the cookie <a href="/en-US/docs/Web/HTTP/Headers/Set-Cookie#Secure"><code>Secure</code></a> attribute must also be set (or the cookie will be blocked).</p> - -<h2 id="Fixing_common_warnings">Fixing common warnings</h2> - -<h3 id="SameSiteNone_requires_Secure"><code>SameSite=None</code> requires <code>Secure</code></h3> - -<p>Warnings like the ones below might appear in your console:</p> - -<pre class="syntaxbox notranslate">Cookie “<em>myCookie</em>” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute. - -This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".</pre> - -<p>The warning appears because any cookie that requests <code>SameSite=None</code> but is not marked <code>Secure</code> will be rejected.</p> - -<pre class="example-bad notranslate">Set-Cookie: flavor=choco; SameSite=None</pre> - -<p>To fix this, you will have to add the <code>Secure</code> attribute to your <code>SameSite=None</code> cookies.</p> - -<pre class="example-good notranslate">Set-Cookie: flavor=choco; SameSite=None; <strong>Secure</strong></pre> - -<p>A <a href="#Secure"><code>Secure</code></a> cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (<code>http:</code>) can't set cookies with the <code>Secure</code> directive.</p> - -<div class="blockIndicator note"> -<p>On older browser versions you might simply get a warning that the cookie will be blocked in future. For example:</p> - -<pre class="syntaxbox notranslate">Cookie “<em>myCookie</em>” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite” attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite -</pre> -</div> - -<h3 id="Cookies_without_SameSite_default_to_SameSiteLax">Cookies without <code>SameSite</code> default to <code>SameSite=Lax</code></h3> - -<p>Recent versions of modern browsers provide a more secure default for <code>SameSite</code> to your cookies and so the following message might appear in your console:</p> - -<pre class="syntaxbox notranslate">Cookie “<em>myCookie</em>” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute. -</pre> - -<p>The warning appears because the <code>SameSite</code> policy for a cookie was not explicitly specified:</p> - -<pre class="example-bad notranslate">Set-Cookie: flavor=choco</pre> - -<p>You should explicitly communicate the intended <code>SameSite</code> policy for your cookie (rather than relying on browsers to apply <code>SameSite=Lax</code> automatically). This will also improve the experience across browsers as not all of them default to <code>Lax</code> yet.</p> - -<pre class="example-good notranslate">Set-Cookie: flavor=choco; <strong>SameSite=Lax</strong></pre> - -<h2 id="Example"><strong>Example:</strong></h2> - -<pre class="notranslate">RewriteEngine on -RewriteBase "/" -RewriteCond "%{HTTP_HOST}" "^example\.org$" [NC] -RewriteRule "^(.*)" "https://www.example.org/index.html" [R=301,L,QSA] -RewriteRule "^(.*)\.ht$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;01;https://www.example.org;30/;SameSite=None;Secure] -RewriteRule "^(.*)\.htm$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;02;https://www.example.org;30/;SameSite=None;Secure] -RewriteRule "^(.*)\.html$" "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;03;https://www.example.org;30/;SameSite=None;Secure] -[...] -RewriteRule "^admin/(.*)\.html$" "admin/index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;09;https://www.example.org:30/;SameSite=Strict;Secure] -</pre> - -<h2 id="Specifications">Specifications</h2> - -<table class="standard-table"> - <thead> - <tr> - <th scope="col">Specification</th> - <th scope="col">Title</th> - </tr> - </thead> - <tbody> - <tr> - <td>{{RFC("6265", "Set-Cookie", "4.1")}}</td> - <td>HTTP State Management Mechanism</td> - </tr> - <tr> - <td><a href="https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05">draft-ietf-httpbis-rfc6265bis-05</a></td> - <td>Cookie Prefixes, Same-Site Cookies, and Strict Secure Cookies</td> - </tr> - </tbody> -</table> - -<h2 id="Browser_compatibility">Browser compatibility</h2> - -<p>{{Compat("http.headers.Set-Cookie", 5)}}</p> - -<h2 id="See_also">See also</h2> - -<ul> - <li><a href="/en-US/docs/Web/HTTP/Cookies">HTTP cookies</a></li> - <li>{{HTTPHeader("Cookie")}}</li> - <li>{{domxref("Document.cookie")}}</li> - <li><a href="https://web.dev/samesite-cookies-explained/">Samesite cookies explained</a> (web.dev blog)</li> -</ul> |