新的Tomcat版本 https://wiki.shibboleth.net/confluence/display/DEV/Tomcat+and+Jetty+SameSite+Workarounds通过以下方式支持 SameSite cookieTomcatContextCustomizer
。所以你应该只自定义tomcat CookieProcessor,例如对于春季启动:
@Configuration
public class MvcConfiguration implements WebMvcConfigurer {
@Bean
public TomcatContextCustomizer sameSiteCookiesConfig() {
return context -> {
final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
context.setCookieProcessor(cookieProcessor);
};
}
}
For SameSiteCookies.NONE
请注意,cookie 也是Secure
(使用SSL),否则无法应用。
默认情况下,自 Chrome 80 起 cookie 被视为SameSite=Lax
!
See Spring Boot 中的 SameSite Cookie https://techhub.erimy.net/archives/0-a-2-aca-650721626055-a-3 and SameSite cookie 食谱 https://web.dev/samesite-cookie-recipes.
对于 nginx 代理,可以在 nginx 配置中轻松解决:
if ($scheme = http) {
return 301 https://$http_host$request_uri;
}
proxy_cookie_path / "/; secure; SameSite=None";
来自@madbreaks 的更新:proxy_cookie_flags https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags iso proxy_cookie_path
proxy_cookie_flags ~ secure samesite=none;