Why not login to Qiita and try out its useful features?

We'll deliver articles that match you.

You can read useful information later.

LoginSign up
7
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@reoito

Safariใงใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃCookieใ‚’ๅ–ๅพ—ใ™ใ‚‹Storage Access APIใ‚’่ฉฆใ—ใฆใฟใŸ

Last updated at Posted at 2020-03-27

ๆฆ‚่ฆ

iOS13.4ใฎSafariใซใŠใ„ใฆใ€ใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃCookieใŒๅฎŒๅ…จใซใƒ–ใƒญใƒƒใ‚ฏใ•ใ‚Œใ‚‹ใ‚ˆใ†ใซใชใ‚Šใพใ—ใŸใ€‚
่ฉณใ—ใใฏไธ‹่จ˜ใ‚’ใ”็ขบ่ชใใ ใ•ใ„ใ€‚
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

iOSใฎ ่จญๅฎš๏ผžSafari๏ผžใ‚ตใ‚คใƒˆ่ถŠใˆใƒˆใƒฉใƒƒใ‚ญใƒณใ‚ฐใ‚’้˜ฒใ ใ‚’OFFใซใ™ใ‚‹ใจใ€ใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃCookieใฎ่ชญใฟๆ›ธใใŒๅฏ่ƒฝใซใชใ‚Šใพใ™ใŒใ€Safariใฎใƒ‡ใƒ•ใ‚ฉใƒซใƒˆใฎ่จญๅฎšใงใฏใ€ใ‚ตใ‚คใƒˆ่ถŠใˆใƒˆใƒฉใƒƒใ‚ญใƒณใ‚ฐใŒONใจใชใฃใฆใŠใ‚Šใ€ใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃCookieใฏใƒ–ใƒญใƒƒใ‚ฏใ•ใ‚Œใพใ™ใ€‚

ใ“ใ“ใงใฏใ€ไธŠ่จ˜ใฎwebkit.orgใงใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃCookieใ‚’ๅ–ๅพ—ใ™ใ‚‹ๆ–นๆณ•๏ผˆOption 2๏ผ‰ใจใ—ใฆๆŒ™ใ’ใ‚‰ใ‚Œใฆใ„ใ‚‹ Storage Access API ใ‚’่ฉฆใ—ใฆใฟใพใ™ใ€‚
็ต่ซ–ใ‹ใ‚‰่จ€ใ„ใพใ™ใจใ€ใ‚ตใ‚คใƒˆ่ถŠใˆใƒˆใƒฉใƒƒใ‚ญใƒณใ‚ฐใŒONใฎ็Šถๆ…‹ใงใ€ใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃCookieใ‚’ๅ–ๅพ—ใ™ใ‚‹ใ“ใจใŒๅ‡บๆฅใพใ—ใŸใ€‚๏ผˆdocument.cookieใฎใฟใ ใŒ๏ผ‰
2020ๅนด3ๆœˆ27ๆ—ฅๆ™‚็‚นใฎiOS13.4 ใฎSafariใงๆคœ่จผใ—ใฆใ„ใพใ™ใ€‚

ใ‚ตใƒณใƒ—ใƒซใ‚ณใƒผใƒ‰

ใƒ•ใ‚กใ‚คใƒซใ‚’ไธ‹่จ˜ใฎใ‚ˆใ†ใซ้…็ฝฎใ—ใฆใใ ใ•ใ„ใ€‚
hoge.com
โ””parent.php
foo.com
โ”œchild.php
โ””first_party_cookie.php

parent.php

iframe ใ‚ฟใ‚ฐใ‚’่จญ็ฝฎใ™ใ‚‹ใƒšใƒผใ‚ธใซใชใ‚Šใพใ™ใ€‚

parent.php
<?php
setcookie("1st-party-from-server", "hoge.com", time() + 86400);
?>
<!DOCTYPE html>
<meta name="viewport" content="width=device-width,initial-scale=1">
<html>
  <head>
    <meta charset="UTF-8" />
    <title>iframe test</title>
  </head>
  <body>
    <div>parent.php</div>
    <ul>
      <li><a href="http://foo.com/first_party_cookie.php">first party cookie set in foo.com</a></li>
    </ul>
    <div>
        <iframe src="http://foo.com/child.php" width="100%" height="400">
        </iframe>
    </div>
  </body>
</html>

child.php

parent.php ใฎiframeใฎsrcใซ่จญ็ฝฎใ™ใ‚‹ใƒšใƒผใ‚ธใซใชใ‚Šใพใ™ใ€‚

child.php
<?php
setcookie("3rd-party-from-server", "foo.com", time() + 86400);
?>
<!DOCTYPE html>
<meta name="viewport" content="width=device-width,initial-scale=1">
<html>
  <head>
    <meta charset="UTF-8" />
    <title>iframe test</title>
  </head>
  <body>
    <div>child.php</div>
    <div>$_COOKIE:<pre><?=htmlspecialchars(print_r($_COOKIE, true), ENT_QUOTES)?></pre></div>
    <div><button onclick="callRequestStorageAccess()">callRequestStorageAccess</button></div>
    <div><button onclick="getCookieByUserAction()">getCookieByUserAction</button></div>
    <script>
        window.onload = function() {
            console.log("Cookie when loading:" + document.cookie);
 
            var promise = document.hasStorageAccess();
            promise.then(
                function (hasAccess) {
                    // Boolean hasAccess says whether the document has access or not.
                    console.log("hasStorageAccess when loading:" + hasAccess);
                }
            );
        }
 
        function callRequestStorageAccess() {
            var promise = document.requestStorageAccess();
            promise.then(
                function () {
                    console.log("Storage access was granted");
                },
                function () {
                    console.log("Storage access was denied");
                }
            );
        }
 
        function getCookieByUserAction() {
            console.log("Cookie when user action:" + document.cookie);
            var promise = document.hasStorageAccess();
            promise.then(
                function (hasAccess) {
                    // Boolean hasAccess says whether the document has access or not.
                    console.log("hasStorageAccess when user action:" + hasAccess);
                }
            );
        }
    </script>
  </body>
</html>

first_party_cookie.php

foo.com ใฎใƒ•ใ‚กใƒผใ‚นใƒˆใƒ‘ใƒผใƒ†ใ‚ฃCookieใ‚’Setใ™ใ‚‹ใŸใ‚ใซ็”จๆ„ใ—ใพใ™ใ€‚iframeๅ†…ใงใฏใชใTOPใƒ•ใƒฌใƒผใƒ ใจใ—ใฆ้ท็งปใ™ใ‚‹ๅฟ…่ฆใŒใ‚ใ‚Šใพใ™ใ€‚

first_party_cookie.php
<?php
setcookie("1st-party-from-server", "foo.com", time() + 86400);
?>
<!DOCTYPE html>
<meta name="viewport" content="width=device-width,initial-scale=1">
<html>
  <head>
    <meta charset="UTF-8" />
    <title>first-paty-cookie</title>
  </head>
  <body>
    <div>first_party_cookie.php</div>
    <div>
        $_COOKIE:<pre><?=htmlspecialchars(print_r($_COOKIE, true), ENT_QUOTES)?></pre>
    </div>
    <div><button onclick="history.back()">back</button></div> 
    <script>
        document.cookie = "1st-party-from-js=foo.com";
    </script>
    </body>
</html>

็ขบ่ชๆ–นๆณ•

ๅฎŸๆฉŸใฎiPhoneใจMacใ‚’ๆŽฅ็ถšใ—ใฆ่กŒใ„ใพใ—ใŸใ€‚ใ‚ณใƒณใ‚ฝใƒผใƒซใซใคใ„ใฆใฏMacใฎSafariใฎWebใ‚คใƒณใ‚นใƒšใ‚ฏใ‚ฟใ‚’ไฝฟ็”จใ—ใพใ—ใŸใ€‚
SafariใฎWebใ‚คใƒณใ‚นใƒšใ‚ฏใ‚ฟใฎไฝฟ็”จๆ–นๆณ•ใฏใ“ใ“ใงใฏๅ‰ฒๆ„›ใ—ใพใ™ใ€‚

  1. iPhoneใฎSafariใซใฆใ€hoge.comใฎ parent.php ใ‚’้–‹ใใพใ™
    parent.png

  2. first_party_cookie in foo.com ใฎใƒชใƒณใ‚ฏใ‚’ๆŠผใ—ใฆใ€foo.comใซ่จญ็ฝฎใ—ใŸใ€first_party_cookie.php ใธ้ท็งปใ—ใพใ™ใ€‚
    ใƒชใƒญใƒผใƒ‰ใ‚’ใ—ใฆใ€CookieใŒใ‚ปใƒƒใƒˆใ•ใ‚ŒใŸใฎใ‚’็ขบ่ชใ—ใฆใใ ใ•ใ„ใ€‚
    first_party_cookie.png
    Safariใฎ็‰นๅพดใจใ—ใฆใ€foo.comใฎใƒ•ใ‚กใƒผใ‚นใƒˆใƒ‘ใƒผใƒ†ใ‚ฃCookieใŒๅญ˜ๅœจใ—ใชใ„ๅ ดๅˆใ€ๅพŒใซๅฎŸ่กŒใ™ใ‚‹requestStorageAccess()ใŒๅคฑๆ•—ใ—ใฆใ—ใพใ„ใพใ™ใ€‚ใใฎใŸใ‚ไบ‹ๅ‰ใซSet-Cookieใ—ใฆใ„ใพใ™ใ€‚
    backใƒœใ‚ฟใƒณใงๆˆปใ‚Šใพใ™ใ€‚

  3. parent.phpใ‚’ใƒชใƒญใƒผใƒ‰ใ—ใพใ™ใ€‚
    ใ‚ณใƒณใ‚ฝใƒผใƒซใซไธ‹่จ˜ใฎใ‚ˆใ†ใซ่กจ็คบใ•ใ‚Œใพใ™ใ€‚
    console_copy1.png
    Cookie when loading:ใฎๅพŒใ‚ใซไฝ•ใ‚‚ใชใ„ใฎใงใ€ใƒญใƒผใƒ‰ๆ™‚ใฎdocument.cookieใŒnullใซใชใฃใฆใ„ใ‚‹ใ“ใจใŒ็ขบ่ชใงใใพใ™ใ€‚
    ๅ…ˆใปใฉ็ขบ่ชใ—ใŸ1st-party-from-serverใชใฉใฎCookieใŒใ€ใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃใงใฏใƒ–ใƒญใƒƒใ‚ฏใ•ใ‚Œใฆใ„ใ‚‹ใŸใ‚ใงใ™ใ€‚
    ใพใ ใ€requestStorageAccess()ใ‚’ใ—ใฆใ„ใชใ„ใŸใ‚ใ€hasStorageAccessใฏfalseใจใชใฃใฆใ„ใพใ™ใ€‚

  4. callRequestStorageAccessใƒœใ‚ฟใƒณใ‚’ๆŠผใ—ใพใ™ใ€‚
    ไธ‹่จ˜ใฎใƒใƒƒใƒ—ใ‚ขใƒƒใƒ—ใŒ่กจ็คบใ•ใ‚Œใพใ™ใ€‚
    popup.png

่จฑๅฏใ‚’ๆŠผใ—ใ€requestStorageAccess()ใŒๆˆๅŠŸใ—ใŸๅ ดๅˆใฏใ‚ณใƒณใ‚ฝใƒผใƒซใซStorage access was grantedใจ่กจ็คบใ•ใ‚Œใพใ™ใ€‚
console_copy2.png

  1. getCookieByUserActionใƒœใ‚ฟใƒณใ‚’ๆŠผใ—ใพใ™ใ€‚
    ใ‚ณใƒณใ‚ฝใƒผใƒซใซfoo.comใฎfirst_party_cookie.phpใงSetใ—ใŸCookieใŒ่กจ็คบใ•ใ‚Œใพใ™ใ€‚
    ใ“ใ‚Œใงใ‚ตใƒผใƒ‰ใƒ‘ใƒผใƒ†ใ‚ฃใฎdocument.cookieใŒๅ–ๅพ—ใงใใพใ—ใŸใ€‚
    hasStorageAccess()ใฎ็ตๆžœใ‚‚trueใซใชใ‚Šใพใ—ใŸใ€‚
    console_copy3.png

ๆณจๆ„็‚น

  • ไบ‹ๅ‰ใซใƒ•ใ‚กใƒผใ‚นใƒˆใƒ‘ใƒผใƒ†ใ‚ฃใงSet-Cookieใ™ใ‚‹ๅฟ…่ฆใŒใ‚ใ‚‹ใ€‚
  • ใƒฆใƒผใ‚ถใ‚ธใ‚งใ‚นใƒใƒฃใƒผใงใ€requestStorageAccess()ใ‚’callใ™ใ‚‹ๅฟ…่ฆใŒใ‚ใ‚‹ใ€‚
    • requestStorageAccess()ใ‚’promiseใฎcallbackใฎfunctionใซ้…็ฝฎใ—ใŸๅ ดๅˆใ€ใƒฆใƒผใ‚ถใ‚ธใ‚งใ‚นใƒใƒฃใจใฟใชใ•ใ‚Œใšใ€ๅคฑๆ•—ใ—ใฆใ—ใพใ†ใฎใงๆณจๆ„ใ€‚
  • ใƒšใƒผใ‚ธใ‚’ใƒชใƒญใƒผใƒ‰ใ—ใŸๅ ดๅˆใฏใ€requestStorageAccess()ใงๅ–ๅพ—ใ—ใŸ่จฑๅฏใŒใƒชใ‚ปใƒƒใƒˆใ•ใ‚Œใฆใ—ใพใ†ใ€‚
    • ใใฎๅ ดๅˆใฏๅ†ๅบฆใƒฆใƒผใ‚ถใ‚ธใ‚งใ‚นใƒใƒฃใซใ‚ˆใ‚‹requestStorageAccess()ใ‚’callใ™ใ‚‹ๅฟ…่ฆใŒใ‚ใ‚‹ใ€‚
    • 2ๅ›ž็›ฎใฏใƒใƒƒใƒ—ใ‚ขใƒƒใƒ—ใฏ่กจ็คบใ•ใ‚Œใชใ„ใ€‚

ใพใจใ‚

ใ‚ใงใŸใdocument.cookieใฏๅ–ๅพ—ใงใใŸใฎใงใ™ใŒใ€child.php ใธใฎ้€šไฟกใ‚’่ฆ—ใ„ใฆใฟใŸใŸใจใ“ใ‚ใ€Cookieใƒ˜ใƒƒใƒ€ใƒผใฏๅญ˜ๅœจใ—ใพใ›ใ‚“ใงใ—ใŸใ€‚
ใใฎใŸใ‚ใ‚ตใƒผใƒๅดใงใฎ$_COOKIE ใงใฎๅ–ๅพ—ใฏไธๅฏ่ƒฝใงใ—ใŸใ€‚
็พๅœจใฎๅฎŸ่ฃ…ใŒใ‚ตใƒผใƒๅดใงใฎCookieๅ–ๅพ—ใซไพๅญ˜ใ—ใฆใ„ใ‚‹ๅ ดๅˆใฏใ€document.cookieใธใฎ็งป่กŒใฏใƒใƒผใƒ‰ใƒซใŒ้ซ˜ใใ†ใงใ™ใ€‚
ใพใŸใƒฆใƒผใ‚ถใ‚ธใ‚งใ‚นใƒใƒฃใƒผใŒๅฟ…่ฆใงใ‚ใ‚‹็‚นใ€ใƒชใƒญใƒผใƒ‰ใ™ใ‚‹ใจใƒชใ‚ปใƒƒใƒˆใ•ใ‚Œใ‚‹็‚นใฏใ€็งป่กŒใ‚’ไธๅฏ่ƒฝใซใ™ใ‚‹่ฆ็ด ใซใชใ‚‹ใ‹ใ‚‚ใ—ใ‚Œใพใ›ใ‚“ใ€‚
2024ๅนดๆ™‚็‚นใงใฏใ€CHIPSใจ็ต„ใฟๅˆใ‚ใ›ใ‚‹ใ“ใจใงๆฐธ็ถš็š„ใชใƒญใ‚ฐใ‚คใƒณใŒๅฏ่ƒฝใซใชใฃใฆใ„ใพใ™ใ€‚ไธ‹่จ˜ใฎ่จ˜ไบ‹ใ‚’ๅ‚็…งใ—ใฆใใ ใ•ใ„ใ€‚
https://qiita.com/reoito/items/357d0e8e63290200f0fe

7
8
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
reoito

Today's trending articles

t7u-ito

@t7u-ito

Pythonใฎๅ‹‰ๅผทใ‚’ๅง‹ใ‚ใŸใจใ“ใ‚ๆจ™ๆบ–ใƒฉใ‚คใƒ–ใƒฉใƒชใŒๅผทๅŠ›ใ™ใŽใฆ๏ผˆJavascriptๆฏ”่ผƒ๏ผ‰้ฉšใใพใ—ใŸใ€‚Pythonใ‹ใ‚‰ใƒ—ใƒญใ‚ฐใƒฉใƒ ใฎๅ‹‰ๅผทใ‚’ๅง‹ใ‚ใ‚‹ใจๅคš่จ€่ชžๅญฆ็ฟ’ใซ่‹ฆๅŠดใ™ใ‚‹ใฎใงใฏ็„กใ„ใงใ—ใ‚‡ใ†ใ‹๏ผŸ

See all

Comments

No comments

Let's comment your feelings that are more than good

LoginSign Up

Being held Article posting campaign

All
7
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

Login to continue?

Login or Sign up with social account

Login or Sign up with your email address

Login with your email addressSign up with your email address