{"id":22594,"date":"2019-07-26T12:00:46","date_gmt":"2019-07-26T03:00:46","guid":{"rendered":"https:\/\/www.techscore.com\/blog\/?p=22594"},"modified":"2019-07-19T16:23:17","modified_gmt":"2019-07-19T07:23:17","slug":"samesite","status":"publish","type":"post","link":"https:\/\/www.techscore.com\/blog\/2019\/07\/26\/samesite\/","title":{"rendered":"\u81ea\u5bb6\u88fd Cookie \u4ee5\u5916\u306f\u98df\u3079\u3061\u3083\u30c0\u30e1\uff01"},"content":{"rendered":"<p>\u3053\u3093\u306b\u3061\u306f\u3001\u30b2\u30b9\u30c8\u53c2\u52a0\u306e\u4e2d\u5c71\u3067\u3059\u3002<br \/>\n\u307e\u3082\u306a\u304f Chrome \u3084 Firefox \u306b\u3066 3rd-party Cookie \u306e\u6271\u3044\u304c\u5909\u66f4\u3055\u308c\u308b\u898b\u8fbc\u307f\u3067\u3059\u3002<\/p>\n<ul>\n<li>SameSite \u5c5e\u6027\uff08<a href='https:\/\/tools.ietf.org\/html\/draft-west-first-party-cookies-07'>draft-west-first-party-cookies-07<\/a>\uff09\u3078\u306e\u5bfe\u5fdc\u306b\u3088\u308a Cookie \u306b\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u5229\u7528\u304b\u5426\u304b\uff08= 3rd-party Cookie \u5229\u7528\u304b\u5426\u304b\uff09\u306e\u660e\u793a\u3092\u8981\u6c42<\/li>\n<li>\u660e\u793a\u7684\u306a SameSite \u5c5e\u6027\u306a\u3057\u3067 Set-Cookie \u3055\u308c\u305f\u5024\u306f 3rd-party Cookie \u3068\u3057\u3066\u5229\u7528\u3067\u304d\u306a\u304f\u306a\u308b<\/li>\n<li>\u3053\u308c\u306b\u3088\u308a Cookie \u306e\u76ee\u7684\u306e\u900f\u660e\u6027 + \u30e6\u30fc\u30b6\u30fc\u3078\u306e\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u63d0\u4f9b + CSRF \u3078\u306e\u5bfe\u7b56\u3092\u5b9f\u73fe<\/li>\n<\/ul>\n<p>\u4ed5\u69d8\u306b\u306f HTTP Cookie Header \u9001\u4fe1\u6642\u306e\u632f\u308b\u821e\u3044\u306b\u3064\u3044\u3066\u5b9a\u7fa9\u3055\u308c\u3066\u307e\u3059\u304c<\/p>\n<blockquote><p>\n3.2. Semantics of the \"SameSite\" Attribute (Non-Normative)<\/p>\n<p>The \"SameSite\" attribute limits the scope of the cookie such that it will only be attached to requests if those requests are \"same-site\", as defined by the algorithm in Section 2.1.  For example, requests for \"https:\/\/example.com\/sekrit-image\" will attach same-site cookies if and only if initiated from a context whose \"site for cookies\" is \"example.com\".<\/p>\n<p>If the \"SameSite\" attribute's value is \"Strict\", or if the value is invalid, the cookie will only be sent along with \"same-site\" requests.  If the value is \"Lax\", the cookie will be sent with \"same-site\" requests, and with \"cross-site\" top-level navigations, as described in Section 4.1.1.\n<\/p><\/blockquote>\n<p>\u4eca\u56de\u306f\u4ed5\u69d8\u306b\u660e\u793a\u3055\u308c\u3066\u3044\u306a\u3044 HTTP Set-Cookie Header \u53d7\u4fe1\u6642\u306e\u632f\u308b\u821e\u3044\u3001\u5177\u4f53\u7684\u306b\u306f SameSite \u5c5e\u6027\u306e\u4e0a\u66f8\u304d\u306b\u3064\u3044\u3066\u5b9f\u9a13\u3057\u3066\u307f\u305f\u3044\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<h2>\u4e0a\u66f8\u304d\u78ba\u8a8d<\/h2>\n<p>\u521d\u56de\u306e Cookie \u66f8\u304d\u8fbc\u307f\u306e\u65b9\u6cd5 + \u4e8c\u56de\u76ee\u306e Cookie \u66f8\u304d\u8fbc\u307f\u306e\u65b9\u6cd5\u3001\u306e\u7d44\u307f\u5408\u308f\u305b\u304b\u3089\u3001\u6700\u7d42\u7684\u306a SameSite \u5224\u5b9a\u3092\u78ba\u8a8d\u3057\u3066\u307f\u307e\u3059\uff08\u672c\u8abf\u67fb\u306f Yahoo! \u306e FE \u30a8\u30f3\u30b8\u30cb\u30a2\u306e\u5b89\u5ddd\u6f64\u4e00\u3055\u3093\u306b\u3054\u5354\u529b\u9802\u304d\u307e\u3057\u305f\u3002\u5b89\u5ddd\u3055\u3093\u3042\u308a\u304c\u3068\u3046\u3054\u3056\u3044\u307e\u3059\uff09\u3002<br \/>\n\u306a\u304a\u3001\u52d5\u4f5c\u78ba\u8a8d\u306b\u306f Chrome canary 77.0.3831.0 \u3092\u7528\u3044\u307e\u3057\u305f\u3002<\/p>\n<p><img src=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/07\/1.png\" alt=\"\" xwidth=\"300\" xheight=\"110\" class=\"alignnone size-medium wp-image-22596\" \/><\/p>\n<p>\u3053\u306e\u7d50\u679c\u304b\u3089 Chrome \u3067\u306f\u300c\u5c5e\u6027\u306a\u3057\u306e HTTP Set-Cookie\uff08from 3rd-party\uff09\u300d\u3092\u9664\u304d\u3001\u5e38\u306b Cookie \u306e\u4e0a\u66f8\u304d\u304c\u53ef\u80fd\u3067\u3042\u308b\u3068\u3044\u3046\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n<h2>\u5b9f\u88c5\u4ed5\u69d8\u306e\u7591\u554f\u70b9<\/h2>\n<p>\u3068\u3053\u308d\u3067 Chrome \u306e\u5b9f\u88c5\u4ed5\u69d8\u306f\u3001\u8868\u4e2d\u306e\u7740\u8272\u3057\u305f\u90e8\u5206\u306b\u7591\u554f\u70b9\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p><img src=\"https:\/\/www.techscore.com\/blog\/wp\/wp-content\/uploads\/2019\/08\/2.png\" alt=\"\" xwidth=\"300\" xheight=\"110\" class=\"alignnone size-medium wp-image-22595\" \/><\/p>\n<p>\u5177\u4f53\u7684\u306b\u306f \u2026<\/p>\n<ul>\n<li>\u8d64 = 1st-party \u304b\u3089\u306e 3rd-party \u5236\u9650\u3092 3rd-party \u304b\u3089\u7de9\u548c\u3067\u304d\u3066\u3088\u3044\u306e\u304b\uff1f<\/li>\n<li>\u6a59 = 3rd-party \u5236\u9650\u3092 3rd-party \u304b\u3089\u7de9\u548c\u3067\u304d\u3066\u3088\u3044\u306e\u304b\uff1f<\/li>\n<li>\u9ec4 = HTTP Set-Cookie \u306b\u95a2\u3059\u308b 3rd-party \u5236\u9650 \/ \u7de9\u548c\u3092 JavaScript \u3067\u5909\u66f4\u3067\u304d\u3066\u826f\u3044\u306e\u304b\uff1f<br \/><span style='color:gray;'>\u203b HttpOnly \u5c5e\u6027\u306b\u3082\u540c\u3058\u3053\u3068\u304c\u8a00\u3048\u307e\u3059<\/span><\/li>\n<\/ul>\n<p>\u8d64\u306b\u3064\u3044\u3066\u306f\u300c1st-party \u5c02\u7528\u300d\u3068\u5ba3\u8a00\uff08= 3rd-party \u5236\u9650\uff09\u3057\u3066\u3044\u305f SameSite \u5c5e\u6027\u3092\u3001\u5236\u9650\u3055\u308c\u3066\u3044\u308b\u306f\u305a\u306e 3rd-party \u304b\u3089\u7de9\u548c\u3067\u304d\u308b\u306e\u306f\u5fae\u5999\u306a\u6c17\u304c \u2026<br \/>\nSynergyMarketing \u306e <a href='https:\/\/www.techscore.com\/blog\/author\/matsumoto-s\/'>\u677e\u672c\u3055\u3093<\/a> \u66f0\u304f 1st-party \u304b\u3089 Lax \u6307\u5b9a\u3067 Set-Cookie \u3057\u305f\u5024\u3092 3rd-party \u304b\u3089\u8aad\u3081\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u306e\u3067\uff08\u30c8\u30e9\u30c3\u30ad\u30f3\u30b0\u306f\u51fa\u6765\u306a\u3044\u306e\u3067\uff09\u826f\u3044\u306e\u3067\u306f\u306a\u3044\u304b\u3001\u3068\u3002<br \/>\n\u306a\u308b\u307b\u3069\u3001\u305d\u3046\u3044\u3046\u898b\u304b\u305f\u3082\u3042\u308a\u307e\u3059\u306d\u3002<\/p>\n<p>\u3061\u306a\u307f\u306b\u5c5e\u6027\u3067\u306f\u306a\u304f\u5024\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u524d\u306e\u8abf\u67fb <a href='https:\/\/www.techscore.com\/blog\/2017\/10\/06\/about-cookie\/'>Cookie \u304c\u4e0a\u66f8\u304d\u3055\u308c\u308b !?<\/a> \u306e\u901a\u308a\u66f8\u304d\u8fbc\u307f\u65b9\u6cd5\u6bce\u306b\u7ba1\u7406\u3055\u308c\u3066\u3044\u308b\u3088\u3046\u3067\u3057\u305f\u3002<br \/>\n\u3053\u306e\u3042\u305f\u308a\u306f\u30d6\u30e9\u30a6\u30b6\u6bce\u306b\u5b9f\u88c5\u304c\u7570\u306a\u308b\u9818\u57df\u3067\u3059\u306e\u3067\u3001\u4ed6\u30d6\u30e9\u30a6\u30b6\u306b\u3064\u3044\u3066\u78ba\u8a8d\u3055\u308c\u305f\u65b9\u304c\u3044\u308c\u3070\u662f\u975e\u7d50\u679c\u3092\u6559\u3048\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<h2>\u307e\u3068\u3081\uff08\u3068\u3044\u3046\u304b\u96d1\u611f\uff09<\/h2>\n<p>\u3055\u3066 <a href='https:\/\/blog.chromium.org\/2019\/05\/improving-privacy-and-security-on-web.html'>Chromium Blog<\/a> \u3067\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u8ff0\u3079\u3089\u308c\u3066\u307e\u3059\u3002<\/p>\n<blockquote><p>\nwhile heuristic-based approaches where the browser guesses at a cookie's purpose make the web unpredictable for developers.\n<\/p><\/blockquote>\n<p>ITP \u7684\u306a\u30a2\u30d7\u30ed\u30fc\u30c1\u3084 <a href='https:\/\/www.techscore.com\/blog\/2016\/06\/24\/3rd-party-cookie\/'>\u8a2a\u554f\u6e08\u307f\u30b5\u30a4\u30c8\u304b\u5426\u304b<\/a> \u3067 3rd-party Cookie \u306e\u6709\u52b9 \/ \u7121\u52b9\u3092\u5207\u308a\u66ff\u3048\u308b\u65b9\u6cd5\u306f\u30b5\u30fc\u30d3\u30b9\u958b\u767a\u8005\u3092\u6df7\u4e71\u3055\u305b\u308b\u305f\u3081<\/p>\n<blockquote><p>\nwe will be updating Chrome to provide users with more transparency about how sites are using cookies, as well as simpler controls for cross-site cookies.\n<\/p><\/blockquote>\n<p>\u900f\u660e\u6027\u3068\u30e6\u30fc\u30b6\u30fc\u3078\u306e\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3092\uff08SameSite \u5c5e\u6027\u306b\u3088\u3063\u3066\uff09\u63d0\u4f9b\u3057\u307e\u3059\u3001\u3068\u3002<br \/>\n\u30c8\u30e9\u30c3\u30ad\u30f3\u30b0\u696d\u8005\u306f\u65e2\u5b58\u306e Cookie \u306b SameSite=None \u3092\u4ed8\u4e0e\u3059\u308b\u3053\u3068\u3067\u3001\u30c8\u30e9\u30c3\u30ad\u30f3\u30b0\u306e\u30ab\u30d0\u30ec\u30c3\u30b8\u3092\u7dad\u6301\u3059\u308b\u3053\u3068\u304c\u51fa\u6765\u307e\u3059\u304c\u3001\u4eca\u5f8c\u300c\u30e6\u30fc\u30b6\u30fc\u3078\u306e\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u300d\u304c\u3069\u306e\u3088\u3046\u306a\u5f62\u3067\u63d0\u4f9b\u3055\u308c\u308b\u304b\u306b\u3064\u3044\u3066\u306f\u30a6\u30aa\u30c3\u30c1\u3057\u3066\u304a\u304f\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/p>\n<p>\u3042\u308b\u65e5\u7a81\u7136 SameSite=None \u306a Cookie \u306b\u5bfe\u3059\u308b\u30c7\u30d5\u30a9\u30eb\u30c8\u52d5\u4f5c\u304c\u5909\u66f4\u3055\u308c\u308b\u304b\u3082\u3057\u308c\u307e\u305b\u3093 \u2026<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u3053\u3093\u306b\u3061\u306f\u3001\u30b2\u30b9\u30c8\u53c2\u52a0\u306e\u4e2d\u5c71\u3067\u3059\u3002<br \/>\n\u307e\u3082\u306a\u304f Chrome \u3084 Firefox \u306b\u3066 3rd-party Cookie \u306e\u6271\u3044\u304c\u5909\u66f4\u3055\u308c\u308b\u898b\u8fbc\u307f\u3067\u3059\u3002<br \/><a href=\"https:\/\/www.techscore.com\/blog\/2019\/07\/26\/samesite\/\">\u7d9a\u304d\u3092\u8aad\u3080...<\/a><\/p>\n","protected":false},"author":19,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[273,222,219],"_links":{"self":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/22594"}],"collection":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/comments?post=22594"}],"version-history":[{"count":33,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/22594\/revisions"}],"predecessor-version":[{"id":22643,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/posts\/22594\/revisions\/22643"}],"wp:attachment":[{"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/media?parent=22594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/categories?post=22594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techscore.com\/blog\/wp-json\/wp\/v2\/tags?post=22594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}