与其他网域共享Cookie [英] Share cookies with other domains
问题描述
我知道,只要他们是同一父域的子域,就可以允许其他域读取我们的域cookie。
例如, intranet.abc.com 和 extranet.abc.com 可以允许通过指定 .abc.com的域属性来读取cookie。
现在,我真的需要,我可以允许其他域读取我的域cookie(他们是不是同一个域的子域)。我已经搜索了很多在互联网上的讨论=>所有说否 由于安全问题。我不知道如果我错过了一个解决方案,因为我没有看到任何安全问题在这种情况下。我的服务器清楚地允许此Cookie可由 XYZ.COM 网域读取,因为Cookie不包含任何敏感信息,并且XYZ.COM网域是我的信任网域, p>
在我看来,应该有一种方法来指定允许读取我们域中特定cookie的其他域列表,就像CORS,服务器可以决定该信息是否应该提供给某些受信任的域。
请告诉我是否可以不使用解决方法,如果可以, ?
如果不可能,我真的想知道为什么。
有关我正在实施的信息: p>
我正在实现一个文件下载,在客户端我需要通过定期检查下载令牌在cookie使用javascript中的间隔是否完成下载。 / p>
目前我正在处理的系统的逻辑可能会将文件存储在2个不同的服务器上。如果文件在当前服务器中丢失,它将在另一个服务器(另一个域)中下载文件。
非常感谢。
您可以通过打开一个iframe到其他域上的特殊检测页面并使用window.postMessage API在窗口之间进行通信来读取域外Cookie。
为简洁起见,简化postMessage API,请参阅MDN开发人员网页了解完整详情。
https://developer.mozilla.org/en -US / docs / Web / API / Window.postMessage
< iframe id =ifrmsrc = http://other.domain.com/getCookie.html\"> ;</iframe>
< script>
var iframe = document.getElementById('ifrm');
window.addEventListener('message',function(e){
if(e.source === iframe.contentWindow&& e.origin ==='other.domain .com'){
var cookie = e.data;
//使用cookie做某事
}
});
//等待iframe加载...也许先ping它...然后
iframe.contentWindow.postMessage('给我的cookie:cookie name','other.domain.com' );
< / script>
/ * in getCookie.html * /
< script>
window.addEventListener('message',function(e){
if(e.origin ==='your.domain.com'){
var seekingCookie = /给我的cookie \:(。*)/。exec(e.data)[1];
//读取cookie
var cookie = getCookieFn(seekingCookie)
e.source.postMessage .toString(),'your.domain.com');
}
},false);
< / script>
I know that it's possible to allow other domains to read our domain cookie as long as they're sub domains of the same parent domain.
For example, intranet.abc.com and extranet.abc.com can allow cookies to be read by each other by specifying the domain property to .abc.com
Now, I'm really in need that I can allow other domains to read my domain cookie (they are not sub domains of the same domain). I have searched a lot of discussions on the internet => all say "NO" due to security issues. I'm not sure if I missed a solution out there because I don't see any security issues in this case. My server clearly ALLOWS this cookie to be read by an XYZ.COM domain because the cookie does not contain any sensitive information and XYZ.COM domain is my trusted domain,
In my opinion, there should be a way to specify a list of other domains that are allowed to read a particular cookie in our domain, just like CORS, the server can decide if the information should be available to some trusted domains.
Please tell me if it's possible without using a workaround and if so, how to do it? If it's not possible, I really would like to know why.
Some information about what I'm implementing:
I'm implementing a file download and on client side I need to detect whether the download is complete by periodically checking for a download token in the cookie using an interval in javascript.
The logic of the current system I'm working on at the moment may store the files in 2 different servers. If the file is missing in the current server, it will download file in another server (another domain)
Thank you very much.
You can read off-domain cookies by opening an iframe to specially instrumented page on the other domain and using the window.postMessage API to communicate between windows. HTML5 only, obviously.
Simplifying the postMessage API somewhat for brevity, consult MDN developer pages for full details. https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage
<iframe id="ifrm" src="http://other.domain.com/getCookie.html"></iframe>
<script>
var iframe = document.getElementById('ifrm');
window.addEventListener('message', function (e) {
if (e.source === iframe.contentWindow && e.origin === 'other.domain.com') {
var cookie = e.data;
//do something with cookie
}
});
//wait for the iframe to load...maybe ping it first...then
iframe.contentWindow.postMessage('give me the cookie:cookie name', 'other.domain.com');
</script>
/* in getCookie.html */
<script>
window.addEventListener('message', function (e) {
if (e.origin === 'your.domain.com') {
var soughtCookie = /give me the cookie\:(.*)/.exec(e.data)[1];
// read the cookie
var cookie = getCookieFn(soughtCookie)
e.source.postMessage(cookie.toString(), 'your.domain.com');
}
}, false);
</script>
这篇关于与其他网域共享Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
