Tag:Cross Station

  • Samesite of cookie

    Time:2021-8-19

    concept Samesite prevents browsers from linking cookies toCross siteSent with the request. The main objective is to reduce the risk of cross source information disclosure. It also provides some protection against cross site request forgery attacks. The possible values for this flag are lax or strict. Samesite can have the following three values: Strict only […]

  • Samesite things

    Time:2021-8-14

    stayCSRF of web security vulnerabilitiesWe learned that the essence of CSRF is actually to use the feature that cookies will be automatically carried in requests to induce users to initiate requests at third-party sites. In addition to some solutions mentioned in the article, the standard also specifically adds cookiesSameSiteProperty to avoid the problem. Chrome supported […]

  • Iframe after chrome 80 does not support sending third-party cookies

    Time:2021-8-6

    Recently, a problem has been encountered in the project. There is an authorization page authorized by the Kwai page, which is put in the iframe. After the user opens the authorization page, the Kwai directly enters the login interface, and the login page is cleared to the login page. problem analysis First of all, I […]

  • Error encountered in Django: forbidden CSRF cookie not set

    Time:2021-7-12

    CSRF cookie not set The hint is that CSRF cookie not set What is CSRF? Indicates that string validation is required for Django to send post requests globally Function:The function of preventing cross Site Request Forgery working principle: when the client accesses the server, when the server normally returns data to the client, it returns […]

  • Iframe after chrome 80 does not support sending third party cookies

    Time:2021-4-11

    Recently, a problem has been encountered in the project. There is an authorization page authorized by the Kwai page, which is put in the iframe. After the user opens the authorization page, the Kwai directly enters the login interface, and the login page is cleared to the login page. problem analysis First of all, there […]

  • Cookie security attribute: samesite

    Time:2021-1-31

    1、 Background Suddenly locally launched applications through the companySSOAfter logging in, I still can’t get the login status information. It was good two days ago. The investigation found that the number of cookies saving login status increasedSecureProperties: set-cookie: ticket=86A24; Max-Age=7775999; Domain=test.com; Path=/;HttpOnly; SameSite=None; Secure Why? Why did the platform team suddenly addSecureProperties, andSameSite=None;What is it? […]

  • I started to explore cookies because of login failure

    Time:2021-1-20

    Write on the front Recently, Xiao Feng encountered a problem at work. After a few days of thinking and exploration, he finally found the problem. He thought it was valuable and wrote this article to share with those who love learning and are willing to think. I hope everyone who meets the same situation can […]

  • Analysis of browser cross domain problem

    Time:2020-11-25

    The same origin strategy of browser:The agreement is the same、Same domain name、The ports are the same。 All browser vendors follow this strategy. There are three kinds of behavior limitation in non homologous (cross domain) Cookies, localstorage, and indexdb cannot be obtained DOM cannot be obtained Atax request cannot be sent This homology can effectively prevent […]

  • Implementation of CSRF cross site attack defense under spring security framework

    Time:2020-9-1

    1、 What is CSRF When learning spring security, many friends confuse CORS (cross site resource sharing) and CSRF (Cross Site Request Forgery), thinking that they are the same thing. In fact, it is not CORS (cross site resource sharing) is to break the restriction of the same source policy locally, so that under certain rules, […]

  • Three incompatible updates of chrome 84 and 85, clodop, cross site SSO and third-party cookie will be the hardest hit areas

    Time:2020-7-22

    TLS 1.0 and TLS 1.1 policy changes Notice: https://chromestatus.com/feat…Notice content: In M-84, Chrome will show a full page interstitial warning on sites that do not support TLS 1.2 or higher. In translation, i.e In chrome 84, chrome inserts a warning for sites that do not support tls1.2 In brief, the security layer protocol of the […]

  • Jsonp hijackin attack details

    Time:2020-7-10

    The Chinese meaning of jsonp hijackin is JSON hijacking, and the reason for JSON data hijacking is that the front end is attacked by cross site. Cross site = cross domain, cross domain literally means beyond the scope and field. Keep asking. What’s beyond that? What is the original scope? Understanding cross site attacks is […]

  • Samesite

    Time:2020-4-15

    If you have recently commented on the chrome console, you may find that you often report some warnings: A cookie associated with a cross-site resource at http://baidu.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. The reason […]