Open exxocism opened 1 year ago
@HyerimKimm
@HyerimKimm μλ
νμΈμ! Same-Site
κ΄λ ¨νμ¬ μ’λ νμΈν΄ 보μμ΅λλ€. κ²°λ‘ λΆν° λ§μλ리면 λ€μκ³Ό κ°μ΅λλ€.
1. `Schemeful Same-Site` κ·μΉμ λ°λ₯΄λ©΄ http://localhost μ https://localhost λ `Cross-Site`μ΄λ€.
2. https://auth-front.ngrok.app κ³Ό https://auth-back.ngrok.app λ `Cross-Site`μ΄λ€.
3. Same-Siteμ Same-Originμ μ°¨μ΄λ λ€ λκ°κ³ ν¬νΈλ§ λ€λ₯Έ κ²½μ°μ μ μ©λλ€.
4. Chromeμ `Sec-Fetch-Site` ν€λλ₯Ό ν΅ν΄ μ°κ²°νλ €λ μ¬μ΄νΈκ° μ΄λ»κ² μ μ©λλμ§ μ μ μλ€.
MDNμ Site μ λν μΌλ°μ μΈ μ€λͺ κ³Όλ λ¬λ¦¬,
These are the same site, or different sites if the scheme is considered:
http://example.com
https://example.com
μ€μ Set-Cookie ν€λμ μ μ©λλ SameSite
μ΅μ
μ μ€μ λ‘λ Schemeful Same-SiteλΌκ³ νλ κ·μΉμ μ μ©νκ³ μμμ΅λλ€.
μ£Όμ μ©μ΄: μ΄λ μ¬μ΄νΈμ 보μμ μ·¨μ½ν HTTP λ²μ (μ: http://website.example)κ³Ό 보μμ΄ κ°νλ HTTPS λ²μ (μ: https://website.example)μ΄ μ΄μ λ μλ‘μκ² κ΅μ°¨ μ¬μ΄νΈλ‘ κ°μ£Όλλ€λ μλ―Έμ λλ€.
μμΈν μ΄ν΄λ³΄λ Site λ¬Έμμ SameSite λ¬Έμμ κ°κ° μΈκΈλκ³ μμμ΅λλ€.
In some contexts, the scheme is also considered when differentiating sites. This would make http://vpl.ca and https://vpl.ca different sites. Including the scheme prevents an insecure (HTTP) site from being treated as the same site as a secure (HTTPS) site. A definition that considers the scheme is sometimes called a schemeful same-site. This stricter definition is applied in the rules for handling SameSite cookies.
If a request originates from a different domain or scheme (even with the same domain), no cookies with the SameSite=Strict attribute are sent.
Schemeful Same-Site
κ·μΉμ λ°λ₯΄λ©΄ http://localhost μ https://localhost λ Cross-Site
μ΄λ€.λν μλΈλλ©μΈλ§ λ€λ₯Έ κ²½μ°μλ Site λ¬Έμμμλ Same-Site
λ‘ κ°μ£Όνλλ°μ,
According to this definition,
support.mozilla.org
anddeveloper.mozilla.org
are part of the same site, because mozilla.org is a registrable domain.
μ€μ λ‘λ μλΈλλ©μΈμ΄ λ€λ₯΄λ©΄ Cross-Site
λ‘ μ·¨κΈλκ³ μμμ΅λλ€. κ·Έλμ μ ν¬κ° ν
μ€νΈ νμ λ, μλνμ§ μμλ κ²μ
λλ€.
Cross-Site
μ΄λ€.μ΄λ»κ² Cross-Site
μΈμ§ μμ μμλλ©΄, ν¬λ‘¬μμ μ΄λ₯Ό μλ €μ£Όλ Sec-Fetch-Site μμ² ν€λκ° μμ΅λλ€.
cross-site
, same-origin
, same-site
μ¬λΆλ₯Ό μ΄ ν€λλ₯Ό ν΅ν΄ μ μ μμμ΅λλ€.
Cross-Site
Cross-Site
Same-Site
same-origin
none
Same-Site
μ Same-Origin
μ μ°¨μ΄λ λ€ λκ°κ³ ν¬νΈλ§ λ€λ₯Έ κ²½μ°μ μ μ©λλ€.Sec-Fetch-Site
ν€λλ₯Ό ν΅ν΄ μ°κ²°νλ €λ μ¬μ΄νΈκ° μ΄λ»κ² μ μ©λλμ§ μ μ μλ€.SameSite
λ₯Ό None
μΌλ‘ λ³κ²½νκ±°λ, μ΅μ Same-Site
λ‘ μΈμλλλ‘ μ‘°κ±΄μ λ§λ€μ΄μ€μΌ ν©λλ€.
TBD