[译] 新 Cookie 安全模型即将到来,咱们须要作哪些准备? (双语)

时间  2020-01-23
标签 cookie 安全 模型 即将 到来 咱们 须要 哪些 准备 双语 栏目 HTML 繁體版
原文   原文链接
  • 原文:Get Ready for New SameSite=None; Secure Cookie Settings
    webmasters.googleblog.com/2020/01/get…
  • 译者:西楼听雨(微信名 t.t.)
  • In May, Chrome announced a secure-by-default model for cookies, enabled by a new cookie classification system (spec). This initiative is part of our ongoing effort to improve privacy and security across the web.
  • 在 5 月份的时候,Chrome 团队发布了一种默认安全的新 cookie 安全模型,该模型基于一种新的 cookie 分类系统,——咱们一直致力于提高 Web 生态的隐私和安全,这个模型提案也是咱们所作努力的一部分。
  • Chrome plans to implement the new model with Chrome 80 in February 2020. Mozilla and Microsoft have also indicated intent to implement the new model in Firefox and Edge, on their own timelines. While the Chrome changes are still a few months away, It’s important that developers who manage cookies assess their readiness today. This blog post outlines high level concepts; please see SameSite Cookies Explained on web.dev for developer guidance.
  • Chrome 计划在 2020 年 2 月份完成对这个新模型的实现。Mozilla 和微软也表示了会在他们自家的 Firefox 和 Edge 中实现这个新模型的意向。虽然距离 Chrome 完成新模型的实现还有几个月的时间,但提早了解新模型的就绪状态对开发人员来讲也很重要。这篇博文就是针对此模型作高层次的概念介绍的,若是须要获取开发指南,请前往 web.dev 网站查看一篇名为 SameSite Cookies Explained (同站 Cookie 的解释)的文档。

Understanding Cross-Site and Same-Site Cookie Context

  • 理解跨站 Cookie 环境和同站 Cookie 环境
  • Websites typically integrate external services for advertising, content recommendations, third party widgets, social embeds and other features. As you browse the web, these external services may store cookies in your browser and subsequently access those cookies to deliver personalized experiences or measure audience engagement. Every cookie has a domain associated with it. If the domain associated with a cookie matches an external service and not the website in the user’s address bar, this is considered a cross-site (or “third party”) context.
  • 一般,网站都会嵌入一些外部服务,如广告、内容推荐、第三方小物件、社交媒体引用等。当你浏览网页时,这些外部服务可能会在你的浏览器中存储一些 cookie,而后后续再访问这些 cookie,以此提供个性化体验或测量受众的参与状况。每一个 cookie 都归属与一个域名,若是某个 cookie 所归属的域名与用户地址栏中的网站不相符,这种状况就被视为 cross-site context(跨站点环境,又称“第三方”环境)。
  • Less obvious cross-site use cases include situations where an entity that owns multiple websites uses a cookie across those properties. Although the same entity owns the cookie and the websites, this still counts as cross-site or “third party” context when the cookie’s domain does not match the site(s) from which the cookie is accessed.
  • 有一类比较不明显的跨站场景:一个实体拥有多个网站,而这些网站都共用一个 cookie。虽然拥有这些网站和这个 cookie 的是同一个实体,但只要 cookie 的归属域名与这些网站域名不相符,就会遇到跨站环境或者“第三方”环境问题。
  • In contrast, cookie access in a same-site (or “first party”) context occurs when a cookie’s domain matches the website domain in the user’s address bar. Same-site cookies are commonly used to keep people logged into individual websites, remember their preferences and support site analytics.
  • 与跨站环境相反,当 cookie 的归属域名与用户地址栏中网站的域名相符合时,对 cookie 的访问就是发生在 same-site context(同站环境,又称“第一方环境”)中的。同站 cookie 一般用于记录人们在某个网站上的登录状态、偏好,或者用于支持对网站的分析。

A New Model for Cookie Security and Transparency

  • 一种新的 Cookie 安全和透明度模型
  • Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.
  • 目前,对于某个 cookie,若是只打算在第一方环境中使用的话,开发人员能够对其采用两种设置来防止外部访问,一种是 SameSite=Lax,一种是 SameSite=Strict。然而,不多有开发人员听从这条实践建议,任由大量的同站 cookie 暴露在隐患(如跨站请求伪造攻击)之下。
  • To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
  • 为了将更多的网站和他们的用户归入保护,除非做出明确指定,新的模型将假设全部 cookie 都默认不能外部访问。开发人员必须采用新的 cookie 设置: SameSite=None,以此来标识 cookie 支持跨站访问。若是但愿其只能在 HTTPS 链接下被访问,除了指定了 SameSite=None 属性,还必须另外设置一个属性: Secure。
  • Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.
  • 除了上述明显的安全提高外,显式声明 cookie 支持跨站,还可让安全性变得更加透明,用户也多了更多的选择。例如,浏览器能够借此给用户提供更精细化的 cookie 管理,让用户能够对跨站 cookie 和同站 cookie 进行单独管理。

Chrome Enforcement Starting in February 2020

  • Chrome 将在 2020 年 2 月开始启用新模型
  • With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections. The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information.
  • 随着 Chrome 80 在 2月发布,届时,Chrome 会把没有明确指定 SameSite 属性值的 cookie 视为 SameSite=Lax;且只有 SameSite=None; Secure 的 cookie 才支持安全链接(即 HTTPS)下的外部访问。
  • Mozilla has affirmed their support of the new cookie classification model with their intent to implement the SameSite=None; Secure requirements for cross-site cookies in Firefox. Microsoft recently announced plans to begin implementing the model starting as an experiment in Microsoft Edge 80.
  • Mozilla 已经证明了将在 Firefox 中支持新的 cookie 分类模型以及跨站 cookie 须要设置SameSite=None; Secure 的要求。微软也在最近宣称,计划在 Edge 80 以试验性选项对新模型进行实现。

How to Prepare; Known Complexities

  • 须要提早作的准备以及已知的一些问题
  • If you manage cross-site cookies, you will need to apply the SameSite=None; Secure setting to those cookies. Implementation should be straightforward for most developers, but we strongly encourage you to begin testing now to identify complexities and special cases, such as the following:
  • 若是你管理着跨站 cookie,你须要把这些 cookie 设置成SameSite=None; Secure。对于开发人员来讲,实现起来可能比较简单,很快就完成了,但咱们强烈建议从如今开始就对其进行测试,以此提早暴露其复杂性和边缘场景,例如:
    • Not all languages and libraries support the None value yet, requiring developers to set the cookie header directly. This Github repository provides instructions for implementing SameSite=None; Secure in a variety of languages, libraries and frameworks.
    • 不是全部语言和库都支持 None 值设置,因此须要开发人员直接设置 Cookie 头。这里有个 Github 仓库提供了在各类语言、库、框架中设置 Same=Site=None; Secure 的方法。
    • Some browsers, including some versions of Chrome, Safari and UC Browser, might handle the None value in unintended ways, requiring developers to code exceptions for those clients. This includes Android WebViews powered by older versions of Chrome. Here’s a list of known incompatible clients.
    • 有些浏览器——包括某些版本的 Chrome、Safari、UC——可能不会以预想的方式处理 None 值,因此须要开发人员对这些浏览器客户端进行异常处理。这里有一个已证明不兼容的浏览器客户端清单。
    • App developers are advised to declare the appropriate SameSite cookie settings for Android WebViews based on versions of Chrome that are compatible with the None value, both for cookies accessed via HTTP(S) headers and via Android WebView's CookieManager API, although the new model will not be enforced on Android WebView until later.
    • 建议 App 开发人员在设置 SameSite 时,
    • Enterprise IT administrators may need to implement special policies to temporarily revert Chrome Browser to legacy behavior if some services such as single sign-on or internal applications are not ready for the February launch.
    • 若是在 2 月份 Chrome 发布的时候,企业里的某些服务如单点登录或者内部应用尚未完成调整,那么企业的 IT 管理人员可能须要制定一些特殊的策略,以此临时性地将 Chrome 浏览器回退到老版本。
    • If you have cookies that you access in both a first and third-party context, you might consider using separate cookies to get the security benefits of SameSite=Lax in the first-party context.
    • 若是有些 cookie 在第一方环境和第三方环境下都会用到,那么你能够考虑将其拆开,在第一方环境中使用 SameSite=Lax。
  • To test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments. In addition, these experiments will be automatically enabled for a subset of Chrome 79 Beta users. Some Beta users with the experiments enabled could experience incompatibility issues with services that do not yet support the new model; users can opt out of the Beta experiments by going to chrome://flags and disabling them.
  • 若是你想对即将到来的新版 Chrome 可能对你的网站和 cookie 形成的影响作测试,你能够在 76 版本以上的 Chrome 中打开 chrome://flags 这个地址,并启用其中的 “SameSite by default cookies” 、 “Cookies without SameSite must be secure” 这两个试验性选项。另外须要注意的是,Chrome 79 Beta 版本的一部分用户是默认开启了这两个选项的,而有些服务还未支持这个新模型,因此有些 Beta 版本的用户可能会碰到兼容性问题,若是有须要,能够把这两个选项禁用掉。
    • 译注:
      • 1. 开启 “SameSite by default cookies” 选项后,没有设置 SameSite 属性的 cookie,会被视为 SameSite=Lax。
      • 2. 开启“Cookies without SameSite must be secure”选项后,设置了 SameSite=None 的 cookie,还必须设置 Secure 才能跨站访问。
  • If you manage cookies that are only accessed in a same-site context (same-site cookies) there is no required action on your part; Chrome will automatically prevent those cookies from being accessed by external entities, even if the SameSite attribute is missing or no value is set. However we strongly recommend you apply an appropriate SameSite value (Lax or Strict) and not rely on default browser behavior since not all browsers protect same-site cookies by default.
  • 若是你只管理着同站环境的 cookie,那么你能够不做出任何变更,Chrome 会自动帮你阻止外部实体访问这些 cookie——即使你没有设置 SameSite 属性或者没有给这个属性赋值。不过咱们仍是建议你把 SameSite 属性值(Lax/Strict)给赋上,不要依赖于浏览器的默认行为,由于不是全部浏览器默认都会保护你的“同站 cookie”。
  • Finally, if you’re concerned about the readiness of vendors and others who provide services to your website, you can check for Developer Tools console warnings in Chrome 77+ when a page contains cross-site cookies that are missing the required settings:
  • 最后,若是你比较关心浏览器厂商们以及给你网站提供提供第三方服务的提供商们的就绪状态,你能够打开 Chrome 77 以上版本的开发者工具,看看是否是有控制台警告——若是页面包含跨站 cookie,且该 cookie 没有相关的设置时,就会发出警告:
  • Some providers (including some Google services) will implement the necessary changes in the months leading up to Chrome 80 in February; you may wish to reach out to your partners to confirm their readiness.
  • 某些服务提供方(包括 Google 的某些服务)会在 2 月份 Chrome 80 发布前的这几个月里做出相应的调整;不过关于你合做伙伴们的就绪状况,你可能要跟他们确认下。
  • 关于本文
相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程