Why are iframe requests not sending cookies?

问题

A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users.

scaffold.html:

<html>
   <head>
      <title>I just show the output from a bunch of report calls</title>
   </head>
   <body>
      <iframe src="https://somesite.com/useful_report.html?parameter1=a&parameter2=1" id="iframe1"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=b&parameter2=2" id="iframe2"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=c&parameter2=3" id="iframe3"></iframe>
      <iframe src="https://somesite.com/useful_report.html?parameter1=d&parameter2=4" id="iframe4"></iframe>
   </body>
</html>

The sibling organization explained to us that if a user was signed on to https://somesite.com, the above setup worked great--each of the iframes would display the useful_report.html content...until a few days ago.

When I

1. sign on to https://somesite.com, then
2. load file:///C:/Users/me/Desktop/scaffold.html into Chrome

each of the iframes returns the https://somesite.com sign on form. If I then open useful_report.html in a separate tab, the report content loads (proving somesite.com knows I am still signed on‡).

Using developer tools, I can see that the request headers to useful_report.html do not include the "Cookie:" attribute, so this explains why useful_report.html returns the sign on form.

My question is why are the iframe requests not sending cookies? What Chrome and/or server setting/policy/directive prevents it?

‡ - and now it knows that I know that it knows.

回答1:

That's because of SameSite cookie policy that Chrome defaults to Lax, meaning the cookies won't be sent unless the user can see the URL which excludes iframes.

If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by a doing Double Submit Cookie.

回答2:

If you wish to use native ajax or jquery ajax, then strip off async:false. it worked for me.

For further compatibility on older browsers i recommend using http://easyxdm.net/wp/. EasyXDM approach is to use an iframe hack that requires you to place an html file at the host that you're making ajax calls to. And this will be forcefully async, yes. But what's nice with this easyXDM is that you won't have to worry about cors headers.

来源：https://stackoverflow.com/questions/53842054/why-are-iframe-requests-not-sending-cookies