problem description
want to prevent csrf attacks through samesite, but write a demo,cookie and always don"t get it.
the environmental background of the problems and what methods you have tried
I started two websites with ports 3001 and 3002pj3001 to set up the cookie,3002 request 3001 service. The cookie of
3001 sets samesite to strict, but the request made by 3002 still gets the cookie.
related codes
Development language nodejs, Framework express,chrome browser
/ / 3001 Code
app.get("/main", (req, res) => {
res.cookie("name", "wenmu", { sameSite: "strict" });
res.set({ "Content-Type": "text/html" });
res.sendFile("main.html", { root: __dirname });
});
app.get("/setVal", (req, res) => {
console.log(req.headers.cookie);
console.log(req.headers.referer);
res.send([req.headers.referer, req.headers.cookie]);
});
app.listen(3001, () => {
console.log("app start on port 3001");
});
/ / 3002 Code
<a href="http://localhost:3001/setVal"></a>
expected results
if you click on the request issued by "100 Yuan Award", the server should not carry cookie after receiving the request.