iframe、跨域 cookie、p3p 策略和 safari 出现错误:未提供所需的防伪令牌或无效 [英] Iframe, cross-domain cookies, p3p policy, and safari with error: A required anti-forgery token was not supplied or was invalid

问题描述

我不久前问了这个问题，发现除非您设置了 p3p 政策，否则 IE 会阻止 iframe 中的跨域 cookie.到目前为止，p3p 修复在 ie 中运行良好.但是，现在我们在 safari 中遇到了同样的错误.

I asked this question a while back and found that IE blocks cross-domain cookies in an iframe unless you set a p3p policy. So far, the p3p fix has worked beautifully in ie. However, now we are getting the same error in safari.

我发现一篇文章有​​不同的p3p 政策 用于 safari.我添加了此代码来设置 p3p 策略，但我仍然收到请求验证令牌错误.

I found an article with a different p3p policy for safari. I added this code to set up the p3p policy, but I am still getting a request verification token error.

public static void SetP3PCompactPolicy()
{
    HttpContext current = HttpContext.Current;

    if (current.Request.UserAgent.ToLower().IndexOf("safari") >= 0)
        HttpContext.Current.Response.AddHeader("p3p", "CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"");
    else
        HttpContext.Current.Response.AddHeader("p3p", "CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"");
}

我不确定这意味着什么，但它不适用于 Safari (5).

I'm not sure what any of that means, but it isn't working for Safari (5).

此外，当我收到服务器错误时，所有信息都会在报告中发送给我，包括所有 http 标头.p3p 标头永远不会出现在这些错误中.我不确定这是设计使然还是表明问题正在发生.

Also, when I get a server error, all information is sent to me in a report, including all the http headers. The p3p header never comes through in these errors. I'm not sure if that is by design or if it is an indicator of the issue going on.

推荐答案

问题是 Safari 不允许在 iframe 中设置 cookie，除非用户与该 iframe 交互.对于某些人来说，这意味着单击链接.我找到了一个更好的解决方案，那就是进行重定向.

The issue is that Safari does not allow a cookie to be set in an iframe unless the user interacts with that iframe. For some, that means clicking a link. I found a better solution which is to do a redirect.

首先，我将此表单放在我的页面上.实际上，我将它放在 iframe 中提供的每个视图使用的母版页中.

First, I put this form on my page. Actually, I put it in the masterpage that is used by every view served in the iframe.

<% if(SecurityHelper.BrowserIsSafari) { %>
    <% using (Html.BeginForm("SafariRedirect", "Framed", FormMethod.Post, new { id="safari-fix-form" })) { %>
       <%: Html.Hidden("safariRedirectUrl")%>
    <% } %>
<% } %>

因为我只希望它在用户使用 safari 时起作用，所以我在静态帮助器类中创建了这个属性来检查用户代理

Because I only want this to work when the user is using safari, I created this property in a static helper class to check the useragent

public static bool BrowserIsSafari
{
    get { return HttpContext.Current.Request.UserAgent.ToLower().IndexOf("safari") >= 0; }
}

然后，在我的控制器中，我有以下操作

Then, in my controller, I have the following action

[HttpPost]
public ActionResult SafariRedirect(string safariRedirectUrl)
{
    Response.Cookies.Add(new HttpCookie("safari_cookie_fix", "cookie ok"));

    return Redirect(safariRedirectUrl);
}

在我的母版页的标题中，我在确定是否呈现表单的同一 if 语句中声明了我的脚本.在我的脚本文件中，我有这个 jquery

In my masterpage, in the header, I have my script declared within the same if statement that determines if the form is rendered. In my script file, I have this jquery

$(function () {

    if ($.browser.safari == true && document.cookie.indexOf("safari_cookie_fix") == -1) {
        var url = location.href;

        $('#safariRedirectUrl').val(url);
        $('#safari-fix-form').submit();
    }

});

iframe 首次加载页面时，如果是 safari 且未设置 cookie，则提交表单，设置 cookie，并将用户重定向回相同的 url.

The first time the iframe loads a page, if it is safari and the cookie isn't set, the form is posted, the cookie set, and the user is redirected back to the same url.

这篇关于iframe、跨域 cookie、p3p 策略和 safari 出现错误:未提供所需的防伪令牌或无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！