[譯] 新 Cookie 安全模型即將到來，咱們須要作哪些準備？ (雙語)

• 原文：Get Ready for New SameSite=None; Secure Cookie Settings
  webmasters.googleblog.com/2020/01/get…
• 譯者：西樓聽雨（微信名 t.t.）
• In May, Chrome announced a secure-by-default model for cookies, enabled by a new cookie classification system (spec). This initiative is part of our ongoing effort to improve privacy and security across the web.
• 在 5 月份的時候，Chrome 團隊發佈了一種默認安全的新 cookie 安全模型，該模型基於一種新的 cookie 分類系統，——咱們一直致力於提高 Web 生態的隱私和安全，這個模型提案也是咱們所作努力的一部分。
  • 相關連接
    • blog.chromium.org/2019/05/imp…
    • 分類系統的規範文檔
      tools.ietf.org/html/draft-…
    • Chrome
      www.blog.google/products/ch…
• Chrome plans to implement the new model with Chrome 80 in February 2020. Mozilla and Microsoft have also indicated intent to implement the new model in Firefox and Edge, on their own timelines. While the Chrome changes are still a few months away, It’s important that developers who manage cookies assess their readiness today. This blog post outlines high level concepts; please see SameSite Cookies Explained on web.dev for developer guidance.
• Chrome 計劃在 2020 年 2 月份完成對這個新模型的實現。Mozilla 和微軟也表示了會在他們自家的 Firefox 和 Edge 中實現這個新模型的意向。雖然距離 Chrome 完成新模型的實現還有幾個月的時間，但提早了解新模型的就緒狀態對開發人員來講也很重要。這篇博文就是針對此模型作高層次的概念介紹的，若是須要獲取開發指南，請前往 web.dev 網站查看一篇名爲 SameSite Cookies Explained （同站 Cookie 的解釋）的文檔。
  • 相關連接
    • SameSite Cookies Explained web.dev/samesite-co…

Understanding Cross-Site and Same-Site Cookie Context

• 理解跨站 Cookie 環境和同站 Cookie 環境
• Websites typically integrate external services for advertising, content recommendations, third party widgets, social embeds and other features. As you browse the web, these external services may store cookies in your browser and subsequently access those cookies to deliver personalized experiences or measure audience engagement. Every cookie has a domain associated with it. If the domain associated with a cookie matches an external service and not the website in the user’s address bar, this is considered a cross-site (or 「third party」) context.
• 一般，網站都會嵌入一些外部服務，如廣告、內容推薦、第三方小物件、社交媒體引用等。當你瀏覽網頁時，這些外部服務可能會在你的瀏覽器中存儲一些 cookie，而後後續再訪問這些 cookie，以此提供個性化體驗或測量受衆的參與狀況。每一個 cookie 都歸屬與一個域名，若是某個 cookie 所歸屬的域名與用戶地址欄中的網站不相符，這種狀況就被視爲 cross-site context（跨站點環境，又稱「第三方」環境）。
• Less obvious cross-site use cases include situations where an entity that owns multiple websites uses a cookie across those properties. Although the same entity owns the cookie and the websites, this still counts as cross-site or 「third party」 context when the cookie’s domain does not match the site(s) from which the cookie is accessed.
• 有一類比較不明顯的跨站場景：一個實體擁有多個網站，而這些網站都共用一個 cookie。雖然擁有這些網站和這個 cookie 的是同一個實體，但只要 cookie 的歸屬域名與這些網站域名不相符，就會遇到跨站環境或者「第三方」環境問題。
  
• In contrast, cookie access in a same-site (or 「first party」) context occurs when a cookie’s domain matches the website domain in the user’s address bar. Same-site cookies are commonly used to keep people logged into individual websites, remember their preferences and support site analytics.
• 與跨站環境相反，當 cookie 的歸屬域名與用戶地址欄中網站的域名相符合時，對 cookie 的訪問就是發生在 same-site context（同站環境，又稱「第一方環境」）中的。同站 cookie 一般用於記錄人們在某個網站上的登錄狀態、偏好，或者用於支持對網站的分析。
  

A New Model for Cookie Security and Transparency

• 一種新的 Cookie 安全和透明度模型
• Today, if a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of two settings (SameSite=Lax or SameSite=Strict) to prevent external access. However, very few developers follow this recommended practice, leaving a large number of same-site cookies needlessly exposed to threats such as Cross-Site Request Forgery attacks.
• 目前，對於某個 cookie，若是隻打算在第一方環境中使用的話，開發人員能夠對其採用兩種設置來防止外部訪問，一種是 SameSite=Lax，一種是 SameSite=Strict。然而，不多有開發人員聽從這條實踐建議，任由大量的同站 cookie 暴露在隱患（如跨站請求僞造攻擊）之下。
  • 相關連接
    • Cross-Site Request Forgery （跨站請求僞造）
      cheatsheetseries.owasp.org/cheatsheets…
• To safeguard more websites and their users, the new secure-by-default model assumes all cookies should be protected from external access unless otherwise specified. Developers must use a new cookie setting, SameSite=None, to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
• 爲了將更多的網站和他們的用戶歸入保護，除非做出明確指定，新的模型將假設全部 cookie 都默認不能外部訪問。開發人員必須採用新的 cookie 設置： SameSite=None，以此來標識 cookie 支持跨站訪問。若是但願其只能在 HTTPS 鏈接下被訪問，除了指定了 SameSite=None 屬性，還必須另外設置一個屬性： Secure。
• Beyond the immediate security benefits, the explicit declaration of cross-site cookies enables greater transparency and user choice. For example, browsers could offer users fine-grained controls to manage cookies that are only accessed by a single site separately from cookies accessed across multiple sites.
• 除了上述明顯的安全提高外，顯式聲明 cookie 支持跨站，還可讓安全性變得更加透明，用戶也多了更多的選擇。例如，瀏覽器能夠藉此給用戶提供更精細化的 cookie 管理，讓用戶能夠對跨站 cookie 和同站 cookie 進行單獨管理。

Chrome Enforcement Starting in February 2020

• Chrome 將在 2020 年 2 月開始啓用新模型
• With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections. The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information.
• 隨着 Chrome 80 在 2月發佈，屆時，Chrome 會把沒有明確指定 SameSite 屬性值的 cookie 視爲 SameSite=Lax；且只有 SameSite=None; Secure 的 cookie 才支持安全鏈接（即 HTTPS）下的外部訪問。
• Mozilla has affirmed their support of the new cookie classification model with their intent to implement the SameSite=None; Secure requirements for cross-site cookies in Firefox. Microsoft recently announced plans to begin implementing the model starting as an experiment in Microsoft Edge 80.
• Mozilla 已經證明了將在 Firefox 中支持新的 cookie 分類模型以及跨站 cookie 須要設置SameSite=None; Secure 的要求。微軟也在最近宣稱，計劃在 Edge 80 以試驗性選項對新模型進行實現。

How to Prepare; Known Complexities

• 須要提早作的準備以及已知的一些問題
• If you manage cross-site cookies, you will need to apply the SameSite=None; Secure setting to those cookies. Implementation should be straightforward for most developers, but we strongly encourage you to begin testing now to identify complexities and special cases, such as the following:
• 若是你管理着跨站 cookie，你須要把這些 cookie 設置成SameSite=None; Secure。對於開發人員來講，實現起來可能比較簡單，很快就完成了，但咱們強烈建議從如今開始就對其進行測試，以此提早暴露其複雜性和邊緣場景，例如：
  • Not all languages and libraries support the None value yet, requiring developers to set the cookie header directly. This Github repository provides instructions for implementing SameSite=None; Secure in a variety of languages, libraries and frameworks.
  • 不是全部語言和庫都支持 None 值設置，因此須要開發人員直接設置 Cookie 頭。這裏有個 Github 倉庫提供了在各類語言、庫、框架中設置 Same=Site=None; Secure 的方法。
    • 倉庫地址 github.com/GoogleChrom…
  • Some browsers, including some versions of Chrome, Safari and UC Browser, might handle the None value in unintended ways, requiring developers to code exceptions for those clients. This includes Android WebViews powered by older versions of Chrome. Here’s a list of known incompatible clients.
  • 有些瀏覽器——包括某些版本的 Chrome、Safari、UC——可能不會以預想的方式處理 None 值，因此須要開發人員對這些瀏覽器客戶端進行異常處理。這裏有一個已證明不兼容的瀏覽器客戶端清單。
    • 清單地址 www.chromium.org/updates/sam…
  • App developers are advised to declare the appropriate SameSite cookie settings for Android WebViews based on versions of Chrome that are compatible with the None value, both for cookies accessed via HTTP(S) headers and via Android WebView's CookieManager API, although the new model will not be enforced on Android WebView until later.
  • 建議 App 開發人員在設置 SameSite 時，
  • Enterprise IT administrators may need to implement special policies to temporarily revert Chrome Browser to legacy behavior if some services such as single sign-on or internal applications are not ready for the February launch.
  • 若是在 2 月份 Chrome 發佈的時候，企業裏的某些服務如單點登錄或者內部應用尚未完成調整，那麼企業的 IT 管理人員可能須要制定一些特殊的策略，以此臨時性地將 Chrome 瀏覽器回退到老版本。
  • If you have cookies that you access in both a first and third-party context, you might consider using separate cookies to get the security benefits of SameSite=Lax in the first-party context.
  • 若是有些 cookie 在第一方環境和第三方環境下都會用到，那麼你能夠考慮將其拆開，在第一方環境中使用 SameSite=Lax。
• To test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the 「SameSite by default cookies」 and 「Cookies without SameSite must be secure」 experiments. In addition, these experiments will be automatically enabled for a subset of Chrome 79 Beta users. Some Beta users with the experiments enabled could experience incompatibility issues with services that do not yet support the new model; users can opt out of the Beta experiments by going to chrome://flags and disabling them.
• 若是你想對即將到來的新版 Chrome 可能對你的網站和 cookie 形成的影響作測試，你能夠在 76 版本以上的 Chrome 中打開 chrome://flags 這個地址，並啓用其中的 「SameSite by default cookies」 、 「Cookies without SameSite must be secure」 這兩個試驗性選項。另外須要注意的是，Chrome 79 Beta 版本的一部分用戶是默認開啓了這兩個選項的，而有些服務還未支持這個新模型，因此有些 Beta 版本的用戶可能會碰到兼容性問題，若是有須要，能夠把這兩個選項禁用掉。
  • 譯註：
    • 1. 開啓 「SameSite by default cookies」 選項後，沒有設置 SameSite 屬性的 cookie，會被視爲 SameSite=Lax。
    • 2. 開啓「Cookies without SameSite must be secure」選項後，設置了 SameSite=None 的 cookie，還必須設置 Secure 才能跨站訪問。
• If you manage cookies that are only accessed in a same-site context (same-site cookies) there is no required action on your part; Chrome will automatically prevent those cookies from being accessed by external entities, even if the SameSite attribute is missing or no value is set. However we strongly recommend you apply an appropriate SameSite value (Lax or Strict) and not rely on default browser behavior since not all browsers protect same-site cookies by default.
• 若是你只管理着同站環境的 cookie，那麼你能夠不做出任何變更，Chrome 會自動幫你阻止外部實體訪問這些 cookie——即使你沒有設置 SameSite 屬性或者沒有給這個屬性賦值。不過咱們仍是建議你把 SameSite 屬性值（Lax/Strict）給賦上，不要依賴於瀏覽器的默認行爲，由於不是全部瀏覽器默認都會保護你的「同站 cookie」。
• Finally, if you’re concerned about the readiness of vendors and others who provide services to your website, you can check for Developer Tools console warnings in Chrome 77+ when a page contains cross-site cookies that are missing the required settings:
• 最後，若是你比較關心瀏覽器廠商們以及給你網站提供提供第三方服務的提供商們的就緒狀態，你能夠打開 Chrome 77 以上版本的開發者工具，看看是否是有控制檯警告——若是頁面包含跨站 cookie，且該 cookie 沒有相關的設置時，就會發出警告：
  
• Some providers (including some Google services) will implement the necessary changes in the months leading up to Chrome 80 in February; you may wish to reach out to your partners to confirm their readiness.
• 某些服務提供方（包括 Google 的某些服務）會在 2 月份 Chrome 80 發佈前的這幾個月裏做出相應的調整；不過關於你合做夥伴們的就緒狀況，你可能要跟他們確認下。
• 關於本文
  • 本文同時發佈與於
    • 幕布平臺：mubu.com/doc/s0Ue9qC…
    • 掘金平臺：juejin.im/post/5e2840…
  • 打賞：你的一枚硬幣，造就的卻多是下一代比爾·蓋茨
    
  • 聯繫 & 交流 & 聘用