Safari 3rd party cookie iframe 技巧不再有效? [英] Safari 3rd party cookie iframe trick no longer working?
问题描述
所以这是我如何让第 3 方 cookie 在 Safari 中工作"问题的第十次报复,但我再次提出这个问题是因为我认为竞争环境已经改变,也许在 2012 年 2 月之后.标准技巧之一在 Safari 中获取第 3 方 cookie 的方法如下:使用一些 javascript 发布到隐藏的 iframe.它(曾经)诱使 Safari 认为用户已经与第 3 方内容进行了交互,从而允许设置 cookie.
So this is the umteenth revenge of the "how do I get 3rd party cookies to work in Safari" question but I'm asking again because I think the playing field has changed, perhaps after February 2012. One of the standard tricks to get 3rd party cookies in Safari was as follows: use some javascript to POST to a hidden iframe. It (used to) trick Safari into thinking that the user had interacted with the 3rd party content and so then allow cookies to be set.
我认为这个漏洞已经在轻微的丑闻之后被堵住了,因为它被揭露谷歌在其广告中使用了这个技巧.至少,在使用这个技巧时,我完全无法在 Safari 中设置 cookie.我发现了一些随机的互联网帖子,声称 Apple 正在努力弥补漏洞,但我没有找到任何官方消息.
I think this loophole has been closed in the wake of the mild scandal where it was revealed that Google was using that trick with its ads. At the very least, while using this trick I have been completely unable to set cookies in Safari. I unearthed some random internet postings that claimed that Apple was working on closing the loophole but I haven't found any official word.
作为后备,我什至尝试重新设计主要的第三方框架,以便您必须在内容加载之前单击一个按钮,但即使是这种直接交互水平也不足以融化 Safari 冰冷的心.
As a fallback I even tried redesigning the main third party frame so that you had to click on a button before the content would load but even that level of direct interaction was not enough to melt Safari's cold cold heart.
那么有没有人确定Safari是否确实关闭了这个漏洞?如果是这样,是否有其他解决方法(除了在每个请求中手动包含会话 ID)?
So does anyone know for certain if Safari has indeed closed this loophole? If so, are there other workarounds (other than manually including a session ID in every request)?
推荐答案
只是想在这里留下一个简单的工作解决方案,不需要用户交互.
Just wanted to leave a simple working solution here that does not require user interaction.
正如我在 我发的帖子:
基本上,您需要做的就是在 top.location 上加载您的页面,创建会话并将其重定向回 Facebook.
Basically all you need to do is load your page on top.location, create the session and redirect it back to facebook.
将此代码添加到您的 index.php 顶部并将 $page_url 设置为您的应用程序最终选项卡/应用程序 URL,您将看到您的应用程序无需任何问题.
Add this code in the top of your index.php and set $page_url to your application final tab/app URL and you’ll see your application will work without any problem.
<?php
// START SAFARI SESSION FIX
session_start();
$page_url = "http://www.facebook.com/pages/.../...?sk=app_...";
if (isset($_GET["start_session"]))
die(header("Location:" . $page_url));
if (!isset($_GET["sid"]))
die(header("Location:?sid=" . session_id()));
$sid = session_id();
if (empty($sid) || $_GET["sid"] != $sid):
?>
<script>
top.window.location="?start_session=true";
</script>
<?php
endif;
// END SAFARI SESSION FIX
?>
注意:这是为 facebook 制作的,但它实际上适用于任何其他类似情况.
Note: This was made for facebook, but it would actually work within any other similar situations.
上面的代码不维护请求发布数据,你会失去signed_request,如果你的应用程序依赖于签名请求,请随意尝试以下代码:
The above code does not maintain the requests post data, and you would loose the signed_request, if your application relies on signed request feel free to try the following code:
注意:这仍在正确测试中,可能不如第一个版本稳定.使用风险自负/欢迎提供反馈.
(感谢 CBroe 在这里为我指出正确的方向以改进解决方案)
(Thanks to CBroe for pointing me into the right direction here allowing to improve the solution)
// Start Session Fix
session_start();
$page_url = "http://www.facebook.com/pages/.../...?sk=app_...";
if (isset($_GET["start_session"]))
die(header("Location:" . $page_url));
$sid = session_id();
if (!isset($_GET["sid"]))
{
if(isset($_POST["signed_request"]))
$_SESSION["signed_request"] = $_POST["signed_request"];
die(header("Location:?sid=" . $sid));
}
if (empty($sid) || $_GET["sid"] != $sid)
die('<script>top.window.location="?start_session=true";</script>');
// End Session Fix
这篇关于Safari 3rd party cookie iframe 技巧不再有效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
