Cookie 在 Internet Explorer 的 IFRAME 中被阻止/未保存 [英] Cookie blocked/not saved in IFRAME in Internet Explorer
问题描述
我有两个网站,假设它们是 example.com 和 anotherexample.net.在 anotherexample.net/page.html 上,我有一个 IFRAME SRC="http://example.com/someform.asp".IFRAME 显示一个表单供用户填写并提交到 http://example.com/process.asp.当我在自己的浏览器窗口中打开表单(someform.asp")时,一切正常.但是,当我在 IE 6 或 IE 7 中将 someform.asp 作为 IFRAME 加载时,example.com 的 cookie 不会被保存.在 Firefox 中不会出现这个问题.
出于测试目的,我在
(来源:piskvor.org)
在这种情况下,当 cookie 被阻止时,不会发送会话标识符,并且目标脚本会抛出找不到会话"错误.
(我已经尝试将会话标识符设置到表单中并从 POST 变量加载它.这会起作用,但出于政治原因我不能这样做.)
可以使 IFRAME 内的页面更受信任:如果内页发送带有 IE 可接受的隐私政策的 P3P 标头,cookie 将被接受.
如何解决
创建 p3p 策略
W3C 教程是一个很好的起点.我已经浏览过了,下载了 IBM 隐私政策编辑器,并在那里创建了一个表示隐私政策,并为其命名以供参考(此处为 policy1).
注意:此时,您实际上需要了解您的网站是否有隐私政策,如果没有,则创建它——它是否收集用户数据、什么样的数据、它是什么与它有关,谁可以访问它等等.您需要找到这些信息并思考.仅仅将几个标签放在一起并不能解决问题.这一步不能完全在软件中完成,并且可能具有高度政治性(例如我们应该出售我们的点击统计数据吗?").
(例如该网站由 ACME Ltd. 运营,它使用匿名的每会话标识符进行运营,仅在明确允许的情况下收集用户数据,并且仅出于以下目的,仅在必要时存储数据,只有我们公司可以访问它,等等.").
(使用此工具进行编辑时,可以查看政策中的错误/遗漏.HTML 政策"选项卡也非常有用:底部有一个政策评估"——快速检查政策将被 IE 的默认设置阻止)
编辑器导出为 .p3p 文件,这是上述策略的 XML 表示.此外,它还可以导出此策略的精简版".
政策链接
然后需要一个政策参考文件(http://example.com/w3c/p3p.xml)(网站使用的隐私政策索引):
<政策参考><POLICY-REF about="/w3c/example-com.p3p#policy1"><包含>/</包含><COOKIE-INCLUDE/></POLICY-REF></政策参考></META>http://example.com/w3c/example-com.p3p
发送带有响应的紧凑标头
我已将 example.com 上的网络服务器设置为发送带有响应的紧凑标头,如下所示:
HTTP/1.1 200 OKP3P:policyref="/w3c/p3p.xml", CP="IDC DSP COR IVAi IVDi 我们的 TST"//... 其他标题和内容policyref 是策略参考文件(反过来引用隐私策略)的相对 URI,CP 是紧凑策略表示.请注意,示例中的 P3P 标头组合可能不适用于您的特定网站;您的 P3P 标头必须如实代表您自己的隐私政策!
利润!
在此配置中,Evil Eye 不会出现,即使在 IFRAME 中也会保存 cookie,并且应用程序可以正常工作.
什么不该做,除非你喜欢在诉讼中辩护
一些人建议在你的 P3P 标题中添加一些标签,直到 Evil Eye 放弃".
标签不仅仅是一堆位,它们具有现实世界的意义,它们的使用赋予您现实世界的责任!
例如,假装你从不收集用户数据可能会让浏览器高兴,但如果你真的收集用户数据,P3P 就与现实相冲突.简单明了,您故意向用户撒谎,这在某些国家/地区可能属于犯罪行为.就像坐牢,不要收取 200 美元"一样.
一些示例(查看 p3pwriter 以获取完整的标签集):
- NOI:网站未收集已识别的数据."(一旦有任何自定义、登录或任何数据收集(***** 分析,有人吗?),您必须在您的 P3P 中承认它)
- STP:保留信息以达到既定目的.这需要尽可能早地丢弃信息.站点必须具有建立销毁时间表的保留策略.保留政策必须包含在网站的人类可读隐私政策中或从中链接."(因此,如果您发送
STP但没有保留政策,您可能欺诈.这有多酷?一点也不.)
我不是律师,但我不愿意去法庭看看 P3P 标头是否真的具有法律约束力,或者您是否可以向您的用户承诺任何事情而实际上不愿意兑现你的承诺.
I have two websites, let's say they're example.com and anotherexample.net.
On anotherexample.net/page.html, I have an IFRAME SRC="http://example.com/someform.asp". That IFRAME displays a form for the user to fill out and submit to http://example.com/process.asp. When I open the form ("someform.asp") in its own browser window, all works well.
However, when I load someform.asp as an IFRAME in IE 6 or IE 7, the cookies for example.com are not saved. In Firefox this problem doesn't appear.
For testing purposes, I've created a similar setup on http://newmoon.wz.cz/test/page.php .
example.com uses cookie-based sessions (and there's nothing I can do about that), so without cookies, process.asp won't execute. How do I force IE to save those cookies?
Results of sniffing the HTTP traffic: on GET /someform.asp response, there's a valid per-session Set-Cookie header (e.g. Set-Cookie: ASPKSJIUIUGF=JKHJUHVGFYTTYFY), but on POST /process.asp request, there is no Cookie header at all.
Edit3: some AJAX+serverside scripting is apparently capable to sidestep the problem, but that looks very much like a bug, plus it opens a whole new set of security holes. I don't want my applications to use a combination of bug+security hole just because it's easy.
Edit: the P3P policy was the root cause, full explanation below.
I got it to work, but the solution is a bit complex, so bear with me.
What's happening
As it is, Internet Explorer gives lower level of trust to IFRAME pages (IE calls this "third-party" content). If the page inside the IFRAME doesn't have a Privacy Policy, its cookies are blocked (which is indicated by the eye icon in status bar, when you click on it, it shows you a list of blocked URLs).
(source: piskvor.org)
In this case, when cookies are blocked, session identifier is not sent, and the target script throws a 'session not found' error.
(I've tried setting the session identifier into the form and loading it from POST variables. This would have worked, but for political reasons I couldn't do that.)
It is possible to make the page inside the IFRAME more trusted: if the inner page sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted.
How to solve it
Create a p3p policy
A good starting point is the W3C tutorial. I've gone through it, downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by (here it was policy1).
NOTE: at this point, you actually need to find out if your site has a privacy policy, and if not, create it - whether it collects user data, what kind of data, what it does with it, who has access to it, etc. You need to find this information and think about it. Just slapping together a few tags will not cut it. This step cannot be done purely in software, and may be highly political (e.g. "should we sell our click statistics?").
(e.g. "the site is operated by ACME Ltd., it uses anonymous per-session identifiers for its operation, collects user data only if explicitly permitted and only for the following purposes, the data is stored only as long as necessary, only our company has access to it, etc. etc.").
(When editing with this tool, it's possible to view errors/omissions in the policy. Also very useful is the tab "HTML Policy": at the bottom, it has a "Policy Evaluation" - a quick check if the policy will be blocked by IE's default settings)
The Editor exports to a .p3p file, which is an XML representation of the above policy. Also, it can export a "compact version" of this policy.
Link to the policy
Then a Policy Reference file (http://example.com/w3c/p3p.xml) was needed (an index of privacy policies the site uses):
<META>
<POLICY-REFERENCES>
<POLICY-REF about="/w3c/example-com.p3p#policy1">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
The <INCLUDE> shows all URIs that will use this policy (in my case, the whole site). The policy file I've exported from the Editor was uploaded to http://example.com/w3c/example-com.p3p
Send the compact header with responses
I've set the webserver at example.com to send the compact header with responses, like this:
HTTP/1.1 200 OK
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR IVAi IVDi OUR TST"
// ... other headers and content
policyref is a relative URI to the Policy Reference file (which in turn references the privacy policies), CP is the compact policy representation. Note that the combination of P3P headers in the example may not be applicable on your specific website; your P3P headers MUST truthfully represent your own privacy policy!
Profit!
In this configuration, the Evil Eye does not appear, the cookies are saved even in the IFRAME, and the application works.
Edit: What NOT to do, unless you like defending from lawsuits
Several people have suggested "just slap some tags into your P3P header, until the Evil Eye gives up".
The tags are not only a bunch of bits, they have real world meanings, and their use gives you real world responsibilities!
For example, pretending that you never collect user data might make the browser happy, but if you actually collect user data, the P3P is conflicting with reality. Plain and simple, you are purposefully lying to your users, and that might be criminal behavior in some countries. As in, "go to jail, do not collect $200".
A few examples (see p3pwriter for the full set of tags):
- NOI : "Web Site does not collected identified data." (as soon as there's any customization, a login, or any data collection (***** Analytics, anyone?), you must acknowledge it in your P3P)
- STP: Information is retained to meet the stated purpose. This requires information to be discarded at the earliest time possible. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy." (so if you send
STPbut don't have a retention policy, you may be committing fraud. How cool is that? Not at all.)
I'm not a lawyer, but I'm not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises.
这篇关于Cookie 在 Internet Explorer 的 IFRAME 中被阻止/未保存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
