使用 IE11 的 CORS 请求 [英] CORS request with IE11

问题描述

我有一个 CORS(跨源资源共享)请求，从我的登录页面到应用程序站点，位于不同的 URL.我有一个简单的页面，我 ping 以确定用户是否已经登录，如果是，则重定向它们.否则我会显示一个登录页面.我使用 jQuery.

I have a CORS (cross origin resource sharing) request coming from my login page to the application site, on a different URL. I have a simple page I ping to determine if a user is already logged in, and if so, redirects them. Otherwise I show a login page. I use jQuery.

这在 safari、chrome、firefox 中效果很好......而不是 IE(自然).根据 MS，IE 10 及更高版本应支持 CORS 请求 withCredentials

This works great in safari, chrome, firefox... and not IE (naturally). According to MS, IE 10 and later should support CORS requests with withCredentials

我正在使用 jquery-2.0.3.min.js

I'm using jquery-2.0.3.min.js

任何想法为什么这在 IE11 中不起作用?

Any ideas why this isn't working in IE11?

它看起来好像是部分工作，因为它现在返回值 {"id":false}.每次都会发生这种情况，这意味着服务器永远不会获得凭据.我也在发布我的 is_logged_in 页面，我正在使用代码点火器框架.

It appears as though it IS partially working, as it is now returning a value of {"id":false}. This happens every time, meaning that the server is never getting the credentials. I am also posting my is_logged_in page, I am using the code igniter framework.

在 IE 的安全设置下启用允许跨域数据源"后，我不再收到任何错误消息.

After enabling "Allow data sources across domains" under IE's security settings, I no longer receive any error messages.

我收到的确切错误是:

SEC7118:http://mysite.net/guest/is_logged_in 的 XMLHttpRequest 需要跨域资源共享 (CORS).

SEC7118: XMLHttpRequest for http://mysite.net/guest/is_logged_in required Cross Origin Resource Sharing (CORS).

$.ajax({
url: 'http://mysite.net/guest/is_logged_in',
type: 'POST',
crossDomain: true,
xhrFields: {
       withCredentials: true
  },

dataType: 'json',
success: function(data) {

    if(data.id) {
        window.location.replace("http://mysite.net");
    }
}
});

和

public function is_logged_in()
{
    $allowed = array(
        'http://mysite.net',
        'http://www.mysite.net',
        'http://www.mysite.com',
    );

    $url = $_SERVER['HTTP_REFERER'];
    $url = substr($url, 0, strpos($url, '/', 8));
    if(isset($_SERVER['HTTP_ORIGIN']))
    {
        if(in_array($_SERVER['HTTP_ORIGIN'], $allowed))
        {
            $this->output->set_header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
        }
    }
    else
    {
        if(in_array($url, $allowed))
        {
            $this->output->set_header('Access-Control-Allow-Origin: ' . $url);
        }
    }


    $this->output->set_header('Access-Control-Allow-Headers: X-Requested-With');
    $this->output->set_header('Access-Control-Allow-Credentials: true');
    $this->output->set_header("Access-Control-Expose-Headers: Access-Control-Allow-Origin");


    //TODO: Try to detect if this is an ajax request, and disallow it if not.

    $data = new stdClass();
    $this->load->library("ion_auth");
    if($this->ion_auth->logged_in())
    {
        $data->name = $this->ion_auth->user()->row()->first_name;
        $data->id = $this->ion_auth->get_user_id();
    } else {
        $data->id = false;
    }

    $this->output->set_output(json_encode($data));

}

提前致谢

推荐答案

将跨域访问数据源"的设置更改为启用会关闭 IE 中的跨域检查，并且非常不安全.相反，您需要确保目标第 3 方资源发送 有效的 P3P 政策，表明它不会对用户的隐私造成可怕的影响.

Changing the setting for "Access data sources across domains" to Enabled turns off cross-domain checks in IE and is horrifically unsafe. Instead, you need to ensure that the target 3rd-party resource sends a valid P3P policy that indicates that it's not doing horrible things to the user's privacy.

这篇关于使用 IE11 的 CORS 请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！