来自其他域的 AJAX 响应中的 Cookie 不受欢迎 - 是否有解决方法 [英] Cookie in AJAX response from other domain not honored - are there workarounds

问题描述

我在域 api.example.com

用户正在访问 www.website.com，其中脚本向 api.example.com 发出 XmlHttpRequest 请求，并通过 cookie 获得响应.

User is visiting www.website.com where a script makes an XmlHttpRequest to api.example.com and gets a response with a cookie.

API 的响应 cookie 似乎不受 HTTP 代理的认可.

It appears the API's response cookie is not honored by the HTTP agent.

我知道非跨域泄漏 cookie 政策，但我认为这里的域是 api.example.com.看来我猜错了.

I'm aware of the non-cross-domain-leaking-cookie policy, but I thought the domain here would be api.example.com. Seems I guessed wrong.

我在 api.example.com 上的 API 是否可以通过其他方式记住从一个站点到另一个站点的用户数据?如果没有，从这个角度来看，Criteo 和其他重定向网站等服务如何运作?

Is there some other way that my API on api.example.com could remember user data from one site to another? If not, how could services like Criteo and other retargeting sites work, from this point of view?

推荐答案

确保您的 API 设置:

Make sure your API set:

1. Access-Control-Allow-Credentials 标头到 true 在可能的预检响应和常规响应中，
2. Access-Control-Allow-Origin 标头到来自实际请求的源值，
3. 并且客户端将 XMLHttpRequest.withCredentials 设置为 true.

1. Access-Control-Allow-Credentials header to true in possible preflight response and regular response,
2. Access-Control-Allow-Origin header to value of the origin from the actual request,
3. and client sets XMLHttpRequest.withCredentials to true.

这篇关于来自其他域的 AJAX 响应中的 Cookie 不受欢迎 - 是否有解决方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！