IE 8和9中没有iframe的跨域cookie?
[英]Cross-domain cookies in IE 8 and 9 without an iframe?
问题描述
Suppose I control two domains, www.api_domain.com and www.website_domain.com . 
假设我控制两个域, www.api_domain.com和www.website_domain.com 。 www.api_domain.com offers an API that requires the user to authenticate and then uses a session cookie to recognise the user who is making requests. www.api_domain.com提供了一个API,要求用户进行身份验证,然后使用会话cookie来识别发出请求的用户。 www.website_domain.com loads a script onto its pages from www.api_domain.com and that script wants to make calls to API URLs on www.api_domain.com with the current user's cookie and use the results in some way on the page from www.website_domain.com . www.website_domain.com从www.api_domain.com将页面加载到其页面上,该脚本希望使用当前用户的cookie在www.api_domain.com上调用API URL,并在www.website_domain.com的页面上以某种方式使用结果www.website_domain.com 。
For initially loading the script, or for any API URLs that don't require the user's session cookie to work, the easiest solution is simply to use an 对于最初加载脚本或任何不需要用户会话cookie工作的API URL,最简单的解决方案就是使用
Access-Control-Allow-Origin: http://www.website_domain.com
header on the response from www.api_domain.com . 来自www.api_domain.com的回复www.api_domain.com 。 This seems to work out of the box on all browsers besides IE, and although IE won't respect the Allow-Origin header on AJAX requests made using jQuery's AJAX methods, there are libraries like xdr.js which do some magic behind the scenes to make jQuery, IE and the Allow-Origin header play nice together and behave like in all other browsers (I don't know the details of what xdr.js does, but it works perfectly for non-credentialed requests as far as I can see). 这似乎在除了IE之外的所有浏览器上开箱即用,虽然IE不会尊重使用jQuery的AJAX方法制作的AJAX请求的Allow-Origin标头,但是像xdr.js这样的库在幕后做了一些魔术。使jQuery,IE和Allow-Origin标头一起玩得很好,并且在所有其他浏览器中表现得像(我不知道xdr.js的详细信息,但就我所见,它对于非凭证请求非常有效) )。
The problem comes when I want to hit a URL on http://www.api_domain.com that requires the user's session cookie. 当我想在http://www.api_domain.com点击需要用户会话cookie的URL时,就会出现问题。 When this problem is discussed in a browser-agnostic setting, two solutions are usually proposed: 在浏览器无关的设置中讨论此问题时,通常会提出两种解决方案:
- Use
Access-Control-Allow-Credentials: trueon the response from to make cookies be sent even with cross-domain requests.使用Access-Control-Allow-Credentials: true即使跨域请求也会发送cookie的响应为Access-Control-Allow-Credentials: true。 - Create an iframe on the page on
http://www.website_domain.comwith originhttp://www.api_domain.com, have the two windows communicate with each other using HTML5 post messages and delegate all responsibility for making requests tohttp://www.api_domain.comto the iframe.在http://www.website_domain.com页面上创建一个iframe,原点为http://www.api_domain.com,让两个窗口使用HTML5帖子消息相互通信,并委托向http://www.api_domain.com发出请求的所有责任http://www.api_domain.com到iframe。
I would greatly prefer to use option 1 if possible, since it lets you write your Javascript code to use the API on http://www.api_domain.com in the same way that you would write it to touch a same-domain API. 如果可能的话,我更倾向于使用选项1,因为它允许您编写Javascript代码以使用http://www.api_domain.com上的API,就像您将其编写为触摸同域API一样。 To use the iframe approach, we'd need to learn or create some framework for sending AJAX-like requests to the iframe, with success and error handlers. 要使用iframe方法,我们需要学习或创建一些框架,用于向iframe发送类似AJAX的请求,以及成功和错误处理程序。 It also means we need to create the code to be loaded into the iframe, which will just be a whole chunk of thin wrappers for hitting the API URLs. 这也意味着我们需要创建要加载到iframe中的代码,iframe只是用于访问API URL的一大堆精简包装器。 It just seems uglier, trickier, and harder to understand than the first approach. 与第一种方法相比,它看起来更丑陋,更难以理解。
However, I can't figure out how to make option 1 work on IE. 但是,我无法弄清楚如何让选项1在IE上运行。 I'm setting Access-Control-Allow-Credentials: true on my API URLs, and all other browsers send cookies to those URLs, but IE 9 doesn't, even with the xdr.js library. 我在我的API URL上设置了Access-Control-Allow-Credentials: true ,并且所有其他浏览器都将cookie发送到这些URL,但IE 9没有,即使使用xdr.js库也是如此。 (I haven't tested on IE 8.) There are no other symptoms to report whatsoever. (我没有在IE 8上测试过。)没有任何其他症状需要报告。 I can see the proper Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers in the responses from www.api_domain.com when I view them in IE's developer tools, but there are no cookie headers in the request. 当我在IE的开发人员工具中查看时,我可以在www.api_domain.com的响应中看到正确的Access-Control-Allow-Origin和Access-Control-Allow-Credentials标头,但请求中没有cookie标头。
Is there some hack or magical incantation that I can use to make Internet Explorer respect the Access-Control-Allow-Credentials header, or some other header I can use that IE recognises? 是否有一些黑客或魔法咒语,我可以使用它来使Internet Explorer尊重Access-Control-Allow-Credentials标头,或IE可识别的其他一些标题?
2 个解决方案
解决方案1
9 已采纳 2013-03-10 09:13:15
Option 1 is not possible in IE9 or below because there is no support for CORS using the XMLHttpRequest. IE9或更低版本中无法使用选项1,因为使用XMLHttpRequest不支持CORS。 Additionally, if you try to use XDomainRequest, you will never be able to send any cookies along with your request. 此外,如果您尝试使用XDomainRequest,您将永远无法发送任何cookie以及您的请求。 I've been down this road several times working on writing a ui testing library to be used with testswarm. 我一直在这条路上工作,编写一个ui测试库,用于testwarm。 What you want to do is just not possible in that manner. 你想做的就是不可能以这种方式。
Here is a post by Eric Law, an ex-Microsoft developer, discussing the issue in detail: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx 以下是前微软开发人员Eric Law的一篇文章,详细讨论了该问题: http : //blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and- workarounds.aspx
The relevant sections, which make clear that sending cookies with a CORS request is impossible in IE 8 and 9, are as follows: 相关部分明确表示,在IE 8和9中无法发送带有CORS请求的cookie,如下所示:
In Internet Explorer 8, the XDomainRequest object was introduced.
When designing the new object, ensuring that existing sites and services would not be put at risk was our top priority.
...
5: No authentication or cookies will be sent with the request
In order to prevent misuse of the user's ambient authority (eg cookies, HTTP credentials, client certificates, etc), the request will be stripped of cookies and credentials and will ignore any authentication challenges or Set-Cookie directives in the HTTP response.
Sites that wish to perform authentication of the user for cross-origin requests can use explicit methods (eg tokens in the POST body or URL) to pass this authentication information without risking the user's ambient authority.
Now assuming you control both locations, you could presumably create a server to server authentication process and go about passing a session id of sorts provided from the domain, for the other domain, of which the client is actually on through your request. 现在假设你控制了两个位置,你可能会创建一个服务器到服务器的身份验证过程,然后通过你的请求传递从域提供的其他域的会话ID。 It's not pretty, but it works. 它不漂亮,但它的工作原理。 This method is also mentioned in the article. 文章中也提到了这种方法。 You will want to be careful though because it opens up the possibility for session hijacking. 你会想要小心,因为它开启了会话劫持的可能性。
解决方案2
0 2013-03-09 22:10:42
IE8+ has an alternative to XMLHttpRequest thats supports credentials which is XDomainRequest . IE8 +有XMLHttpRequest的替代方案,它支持XDomainRequest凭据。 anyway, XDomainRequest is not implemented by JQuery because it has less functionality than that are provided by XMLHttpRequest , but there is plugin like jQuery CORS Plugin that provide what you need. 无论如何, XDomainRequest没有实现XDomainRequest ,因为它的功能少于XMLHttpRequest提供的功能,但有一些插件,如jQuery CORS插件 ,可以提供你所需要的。
jQuery plugin which transparently adds Cross Origin Resource Sharing (CORS) amongst browsers, including IE8+, to allow cross-domain Ajax requests with cookies and headers support.
also i think but not sure that IE doesn't support wildcards in headers like Access-Control-Allow-Origin: * . 我也认为但不确定IE不支持Access-Control-Allow-Origin: *等标题中的通配符。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.