即使使用P3P标头,也无法在IE中的IFRAME中设置cookie
[英]Cannot set cookies in IFRAME in IE, even with P3P header
问题描述
I've seen many posts here on how to get cookies to work inside an iframe in IE, and I've tried several of the solutions, but so far have had no luck. 
我在这里看到很多关于如何让IE在IE中的iframe中工作的帖子,我已经尝试了几种解决方案,但到目前为止还没有运气。 Here's what I'm dealing with: 这是我正在处理的事情:
I have an iframe that is created through Javascript on a customer's site (a widget.) I have no control of the customer's site.
我有一个通过客户网站(小部件)上的Javascript创建的iframe。我无法控制客户的网站。 I need to set cookies to keep the user logged in within the iframe, and it works in Chrome and Firefox, but not in IE 7/8. 我需要设置cookie以保持用户在iframe中登录,并且它可以在Chrome和Firefox中使用,但不能在IE 7/8中使用。 I haven't tested IE 6, but I assume it has the same problem. 我没有测试IE 6,但我认为它有同样的问题。 I created a P3P policy using IBM's policy editor, and the editor said that the compact policy was acceptable under IE's security, whether it's set to Low, Medium, or High.
我使用IBM的策略编辑器创建了一个P3P策略,并且编辑说在IE的安全性下,紧凑策略是可以接受的,无论它是设置为低,中还是高。 The CP I'm using is: 我正在使用的CP是:
P3P: policyref="/w3c/p3p.xml" CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa CONi TELi OUR IND PHY ONL UNI COM NAV INT DEM CNT PRE" (I have tried several other CPs that people say work, but have seen no difference in the result.) P3P: policyref="/w3c/p3p.xml" CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa CONi TELi OUR IND PHY ONL UNI COM NAV INT DEM CNT PRE" (我已经尝试了其他几个人们说工作的CP,但是看到结果没有差异。)
The webserver (NGINX) is serving this P3P header with every file.
网络服务器(NGINX)正在为每个文件提供此P3P标头。 I am not serving it from code. 我不是从代码服务它。 The p3p.xml file exists and matches the compact policy.
p3p.xml文件存在并与压缩策略匹配。 The p3p.xml validates using the W3C P3P validator. p3p.xml使用W3C P3P验证器进行验证。 Even with the P3P header (no matter which one I tried), IE gives me the "evil eye" in the status bar at the bottom and will not let me set cookies.
即使使用P3P标题(无论我尝试哪一个),IE都会在底部的状态栏中给我“邪恶的眼睛”,并且不会让我设置cookie。 They show as Blocked in the privacy report. 他们在隐私报告中显示为已屏蔽。 I read Piskvor's post on SO about this topic: Cookie blocked/not saved in IFRAME in Internet Explorer but I have not been able to reproduce what he was able to do on his demo site: http://newmoon.wz.cz/test/page.php?send_p3p=1 .
我读了关于这个话题的Piskvor帖子: 在Internet Explorer中阻止/不保存在IFRAME中的Cookie但是我无法重现他在他的演示站点上可以做的事情: http : //newmoon.wz.cz/test /page.php?send_p3p=1 。 I assume this is because I am getting the evil eye and he is not. 我认为这是因为我得到了邪恶的眼睛,而他却没有。 I have done everything I've read about as a recommendation to get rid of th evil yet, yet it persists. 我已经完成了我所读到的所有内容,作为摆脱邪恶的建议,但它仍然存在。 Mocking me. 嘲笑我。 My test page is here if you want to try it out: http://truelike.com/js/bobs/frametest.php The set/read pages work fine when viewed outside of the iframe, but don't work at all inside when using IE.
如果您想尝试一下,我的测试页面在这里: http : //truelike.com/js/bobs/frametest.php在iframe外部查看时,设置/读取页面工作正常,但在内部无法正常工作使用IE时。 For reference, I'm using PHP on the backend.
作为参考,我在后端使用PHP。
Any help at all would be much appreciated - we're getting desperate here. 任何帮助都会非常感激 - 我们在这里绝望了。
Thanks! 谢谢!
2 个解决方案
解决方案1
4 已采纳 2011-05-20 15:16:15
So, I resolved this myself. 所以,我自己解决了这个问题。 It looks like the problem was with NGINX's HTTPUserIDModule (http://wiki.nginx.org/HttpUserIdModule). 看起来问题出在NGINX的HTTPUserIDModule(http://wiki.nginx.org/HttpUserIdModule)上。 I had been using that to send the P3P header, but nginx wasn't sending the header consistently , perhaps due to this line in their documentation: 我一直用它来发送P3P标头,但是nginx没有一致地发送标头 ,可能是因为他们的文档中有这一行:
Directive assigns value for the header P3P, which will sent together with cookie.
I was seeing the headers come through when checking with curl or lynx, but not when I checked with Firebug or Charles. 当我用curl或lynx检查时,我看到标题出现了,但是当我用Firebug或Charles检查时没有看到。 Perhaps there is a config option to fix this, but I couldn't find it. 也许有一个配置选项来解决这个问题,但我找不到它。
Anyway, if you pull the header directive OUT of the HTTPUserIdModule and just send the header manually in code, it works . 无论如何, 如果您拉出HTTPUserIdModule的头部指令OUT并且只是在代码中手动发送头部,它就可以工作 。 It would probably work if you manually send the header using the HTTPHeadersModule http://wiki.nginx.org/HttpHeadersModule , but I haven't tested this yet. 如果您使用HTTPHeadersModule http://wiki.nginx.org/HttpHeadersModule手动发送标头,它可能会工作,但我还没有测试过。
Once it was working through code, I saw that I didn't need the header on all files - having it only on the files setting/getting cookies was enough, contrary to a lot of the advice I've seen. 一旦它通过代码工作,我看到我不需要所有文件的标题 - 只有文件设置/获取cookie就足够了,这与我见过的很多建议相反。
Also, my CP was apparently too aggressive, despite IBM's policy editor saying it was okay. 此外,尽管IBM的政策编辑说它没问题,但我的CP显然过于激进了。 I used a more basic CP, and that worked. 我使用了更基本的CP,这很有效。
解决方案2
0 2013-07-29 09:26:23
Changes with nginx 0.8.20 使用nginx 0.8.20进行更改
Bugfix: the "Set-Cookie" and "P3P" FastCGI response header lines were not hidden while caching if no "fastcgi_hide_header" directives were used with any parameters. 修正:如果没有“fastcgi_hide_header”指令与任何参数一起使用,则在缓存时不会隐藏“Set-Cookie”和“P3P”FastCGI响应标题行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.