来自其他域的 AJAX 响应中的 Cookie 不受欢迎 - 是否有解决方法 [英] Cookie in AJAX response from other domain not honored - are there workarounds
问题描述
我在域 api.example.com
用户正在访问 www.website.com
,其中脚本向 api.example.com
发出 XmlHttpRequest 请求,并通过 cookie 获得响应.
User is visiting www.website.com
where a script makes an XmlHttpRequest to api.example.com
and gets a response with a cookie.
API 的响应 cookie 似乎不受 HTTP 代理的认可.
It appears the API's response cookie is not honored by the HTTP agent.
我知道非跨域泄漏 cookie 政策,但我认为这里的域是 api.example.com
.看来我猜错了.
I'm aware of the non-cross-domain-leaking-cookie policy, but I thought the domain here would be api.example.com
. Seems I guessed wrong.
我在 api.example.com
上的 API 是否可以通过其他方式记住从一个站点到另一个站点的用户数据?如果没有,从这个角度来看,Criteo 和其他重定向网站等服务如何运作?
Is there some other way that my API on api.example.com
could remember user data from one site to another? If not, how could services like Criteo and other retargeting sites work, from this point of view?
推荐答案
确保您的 API 设置:
Make sure your API set:
Access-Control-Allow-Credentials
标头到true
在可能的预检响应和常规响应中,Access-Control-Allow-Origin
标头到来自实际请求的源值,- 并且客户端将
XMLHttpRequest.withCredentials
设置为true
.
Access-Control-Allow-Credentials
header totrue
in possible preflight response and regular response,Access-Control-Allow-Origin
header to value of the origin from the actual request,- and client sets
XMLHttpRequest.withCredentials
totrue
.
这篇关于来自其他域的 AJAX 响应中的 Cookie 不受欢迎 - 是否有解决方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!