Facebook如何在画布页面上为iFrames设置跨网域Cookie？ [英] How does Facebook set cross-domain cookies for iFrames on canvas pages?

问题描述

我正在浏览Facebook的文档，阅读关于canvas应用程序，我遇到了一个示例应用程序： http：//developers.facebook。 com / docs / samples / canvas 。然而，当我阅读他们的例子，我非常困惑他们在iframe应用程序中使用cookie。

I was browsing Facebook's documentation reading about canvas applications and I came across an example application: http://developers.facebook.com/docs/samples/canvas. As I read through their example, however, I got very confused about their use of cookies in the iframe application.

一点背景...

我已经玩过使用iframe的嵌入式小部件（与Facebook无关），我发现一些浏览器（Chrome，Safari等）有严格的cookie政策，不允许跨 - 在iframe中设置的域Cookie（另一方面，Firefox允许iframe在iframe中设置跨网域Cookie）。例如，如果foo.com有一个带有 src =http://bar.com/widget的iframe，则iframe小部件将无法为bar设置任何cookie .com，因此将在iframe中保持状态有问题：bar.com会将来自窗口小部件的每个请求（包括ajax请求）解释为没有建立会话的新请求。我努力，并通过使用JSONP和javascript找到一个方法来设置cookie为foo.com而不是...

I had already played around with using iframes for embeddable widgets (unrelated to Facebook) and I found out a few browsers (Chrome, Safari, etc.) have strict cookie policies and don't allow cross-domain cookies set in iframes (Firefox, on the other hand, allows iframes to set cross-domain cookies in iframes). For example, if foo.com has an iframe with src="http://bar.com/widget" the iframe widget will not be able to set any cookies for bar.com and therefore will have trouble persisting state within the iframe: bar.com will interpret every request (including ajax requests) from the widget as a fresh request without an established session. I struggled, and found a way around this by using JSONP and javascript to set cookies for foo.com instead...

...等等？

好吧，我在查看示例画布iframe Facebook应用程序，我注意到他们的应用程序（托管在runwithfriends.appspot.com）能够设置一个cookie， u ，其中包含当前用户的ID以及runwithfriends.appspot.com域的一些其他参数。它发送此cookie与每个请求...，它的工作原理在Chrome和Firefox！ WTF？ Facebook如何解决Chrome上的跨网域Cookie限制？

Well, I was looking at the example canvas iframe Facebook application and I noticed that their application (hosted on runwithfriends.appspot.com) is able to set a cookie, u, with the current user's id along with a few other parameters for the runwithfriends.appspot.com domain. It sends this cookie with every request... and it works in both Chrome and Firefox! WTF? How does Facebook get around the cross-domain cookie restrictions on Chrome?

（我已经知道答案，但我认为这可能对任何挣扎的人都有帮助同样的事情 - 我会在下面的答案。）

(I already know the answer now, but I thought this might be helpful for anyone struggling to figure out the same thing -- I'll post the answer below.)

推荐答案

所以iFrame实际上没有设置 u 用于runwithfriends.appspot.com域的cookie。 Facebook所做的是创建一个表单，< form action =runwithfriends.appspot.com / ...target =name_of_iframemethod =POST> 并使用javascript在网页加载时提交表单。由于表单的目标是iframe，它不会重新加载页面...它只是加载iframe与POST的响应。显然，即使Chrome和其他具有严格Cookie政策的浏览器，如果他们是POST请求，也会为跨网域请求设置Cookie ...

So the iFrame isn't actually setting the u cookie for the runwithfriends.appspot.com domain. What Facebook does is it creates a form, <form action="runwithfriends.appspot.com/..." target="name_of_iframe" method="POST"> and uses javascript to submit the form on page load. Since the form's target is the iframe, it doesn't reload the page... it just loads the iframe with the POST's response. Apparently even Chrome and other browsers with strict cookie policies set cookies for cross domain requests if they are POST requests...

这篇关于Facebook如何在画布页面上为iFrames设置跨网域Cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！