IE11不会设置x-cfrtoken HTTP标头,除非使用InPrivate窗口,否则将导致服务器使用HTTP 403 Access Denied进行响应
[英]IE11 does not set x-cfrtoken HTTP header, unless with an InPrivate window, this causes server to respond with HTTP 403 Access Denied
问题描述
I've been baffled by this for two days now. 
我已经为此感到困惑了两天。 The situation: 情况:
- Simple website, running in Websharper, login screen, single view, through XHR with application/json responses 简单的网站,在Websharper中运行,登录屏幕,单一视图,通过XHR与应用程序/ json响应
- The site is run from within an
iframewith different domains (I cannot change that, but I have access to both sites).该网站是在具有不同域的iframe运行的(我无法更改它,但是我可以访问两个网站)。 Without iframe there are no problems.没有iframe,就不会有问题。 - You should see an error with faulty login, but this doesn't work in IE11 on Windows 7. It works in the same IE11 in InPrivate mode and any IE11 on Windows 10 . 您应该会看到登录错误的错误,但这在Windows 7的IE11中不起作用。 它在InPrivate模式下的相同IE11中以及在Windows 10上的任何IE11中都可以工作 。 It is not a caching issue. 这不是缓存问题。
- The site sets cookies, but works cookieless if cookies cannot be set (ie, iPhone) 该网站设置了cookie,但是如果无法设置cookie(即iPhone),则无法使用cookie。
It appears that in InPrivate mode, the x-csfrtoken is set in the request header, outside InPrivate mode this header is not set . 似乎在InPrivate模式下,在请求标头中设置了x-csfrtoken ,在InPrivate模式之外,未设置此标头 。 The server then returns an HTTP 403 error, which seems to be at the root of the problem. 然后,服务器返回HTTP 403错误,这似乎是问题的根源。
I don't know how to instruct the server (IIS) to ignore this token. 我不知道如何指示服务器(IIS)忽略此令牌。
To see this behavior in action, got to that site and type in anything, then click "Inloggen". 要查看此行为的实际效果,请转到该站点并输入任何内容,然后单击“ Inloggen”。 You should see a login-error (in Dutch), but in IE11 on Windows 7, this error does not appear. 您应该看到一个登录错误(荷兰语),但是在Windows 7的IE11中,不会出现此错误。
I tried this solution by Microsoft, on improper rights on LocalLow , but it did not resolve the issue and seems otherwise unrelated. 我在LocalLow上以不当的权利尝试了Microsoft的此解决方案 ,但该解决方案无法解决该问题,并且在其他方面似乎无关。
1 个解决方案
解决方案1
3 已采纳 2018-04-25 14:58:05
Apparently this is a bug in IE11 on Windows 7 and Windows 8 / 8.1. 显然,这是Windows 7和Windows 8 / 8.1上IE11中的错误。 I found out that the browser does send the csrftoken cookie, but forgets the required x-csrftoken HTTP Header parameter, which all other browsers, including older and newer versions of IE and IE11 on Windows 10 properly send. 我发现浏览器确实发送了csrftoken cookie,但是忘记了必需的x-csrftoken HTTP Header参数,所有其他浏览器(包括Windows 10上的IE和IE11的较新和较新版本)都正确发送了该参数。
If your toolchain protects itself by validating the x-csrftoken (which is recommended by any framework), then this fails with IE11. 如果您的工具链通过验证x-csrftoken (任何框架都建议使用)来保护自己,则IE11失败。 It was discussed here for WebSharper , but without a complete solution yet. 此处已针对WebSharper进行了讨论 ,但还没有完整的解决方案。
The workaround that I found that worked properly is the following. 我发现可以正常工作的解决方法如下。 It's hacky, it alters the HTTP headers upon arrival, but other tools do that too (think proxy servers for one). 它很容易处理,它会在到达时更改HTTP标头,但是其他工具也可以这样做(请考虑一个代理服务器)。 Here's code to place in the global.asax.fs in F# if you are using WebSharper (a bit messy, but I'll leave cleaning up as an exercise for the reader ;)). 如果您使用的是WebSharper,则可以将以下代码放在F#中的global.asax.fs中(有点杂乱,但我将整理一下作为读者的练习;)。
member __.Application_BeginRequest(sender: obj, args: System.EventArgs) =
HttpContext.Current
|> function
| null -> ()
| ctx ->
match ctx.Request with
| null -> ()
| req ->
match req.Cookies.Item "csrftoken", req.Headers.Item "x-csrftoken" with
| null, null -> ()
| cookie, null ->
// fix for IE11, which does not always set the HTTP Header "x-csrftoken"
try req.Headers.Item "x-csrftoken" <- cookie.Value
with _ -> () // ignore possible errors
| null, _ ->
// if header is set but cookie is not, there's nothing we can do (cookie collection is read-only)
()
| cookie, csrfHeader when cookie.Value <> csrfHeader ->
try req.Headers.Item "x-csrftoken" <- cookie.Value
with _ -> () // ignore possible errors
| _ ->
() // all is fine, the default: cookie "csfrtoken" and header "x-csfrtoken" are equal
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.