浏览器能否响应XSS jquery.getJSON（）请求中的标头中指定的Set-Cookie？ [英] Can browsers react to Set-Cookie specified in headers in an XSS jquery.getJSON() request?

问题描述

（注意：这是我的问题的后续并覆盖了在AJAX请求中设置Cookie？）

(Note: This is a follow up to my question Can jQuery.getJSON put a domain's cookies in the header of the request it makes? and covers the XSS case of Setting a cookie in an AJAX request?)

我被告知我无法使用 $。cookie（...，...）来设置不是当前域的子域的其他域读取的cookies。 ，{domain：...}）。但在对我的最后一个问题的回应的评论，@zanlok说服务器的答复，但是，绝对可以设置一个cookie，它有两个upvote。

I've been told I'm unable to set cookies to be read by other domains that are not subdomains of the current domain using $.cookie(..., ..., {domain: ...}). But in a comment on a response to my last question, @zanlok said "The server's reply, however, can definitely set a cookie" and it got two upvotes.

我以为我会尝试使用为明确设置Cookie的服务，名为 Freebase的touch API 。调用如下：

So I thought I'd try using a service which was created for the explicit purpose of setting cookies called Freebase's "touch" API. The call looks like:

$.getJSON("http://api.sandbox-freebase.com/api/service/touch",
{}, // URL parameters
afterCookieIsSetCallback); // Callback function

在响应标题中查找FireBug，如下所示：

Looking in FireBug at the response header it's like this:

Date    Wed, 24 Nov 2010 03:35:28 GMT
Server  Apache
X-Metaweb-Cost  [...]
Etag    [...]
Expires Wed, 24 Nov 2010 03:35:29 GMT
Cache-Control   no-store
Vary    Accept-Encoding
Content-Encoding    gzip
Set-Cookie  mwLastWriteTime=1290569730|10325_9202a8c04000641f80000000199eff96|sandbox; expires=Thu, 25-Nov-2010 03:35:28 GMT; Path=/
Last-Modified   Wed, 24 Nov 2010 03:35:28 GMT
Content-Length  134
Content-Type    text/plain; charset=utf-8
X-Cache MISS from cache01.sandbox.sjc1.metaweb.com
Connection  keep-alive
X-Metaweb-TID   cache;cache01.sandbox.sjc1:8101;2010-11-24T03:35:28Z;0001

并且脚本运行响应处理程序。但是，此脚本对 .sandbox-freebase.com 的后续JSON请求的请求标头中不存在该Cookie。

So there's definitely a Set-Cookie in there, and the script runs the response handler. Yet the cookie is not present in the request headers for later JSON requests this script makes to .sandbox-freebase.com.

（相比之下，只需在地址栏中输入api URL，然后以此方式加载即可在未来的请求中设置Cookie），

(By contrast, simply typing the touch api URL into the address bar and loading it that way does set the cookie for future requests. That applies even in other tabs.)

这似乎是偏离了以前的预期行为，因为有一个工具包发布的MetaWeb大约2007-2009，似乎认为这样的方法可以工作：

This seems to be a deviation from a prior "expected behavior", because there was a toolkit published by MetaWeb circa "2007-2009" which seemed to think such an approach could work:

http://www.google.com/codesearch/p?hl=zh-CN#v099O4eZ5cA/trunk/src/freebase/api.js& ; q = touch％20package：http：//mjt%5C.googlecode%5C.com& l = 340

不知道多少，我不知道这是否是Firefox采用的最新更改，然后WebKit跟随。也许是这里提到的：

Without knowing much about it, I'm wondering if it was a recent change that Firefox adopted and then WebKit followed suit. Perhaps the one mentioned here:

http://trac.webkit.org/browser/trunk/WebCore/xml/XMLHttpRequest.cpp#L856

因此，有没有关于这个特定问题的规范文档？

So is there any canonical documentation on this particular issue?

推荐答案

正在进行的AJAX调用，顶级网址的域（地址栏中的网址）。这导致它是一个第三方cookie，默认Internet Explorer将不会持久的第三方cookie。这意味着Cookie将在第一个请求的Set-Cookie头中返回，但您对该服务器发出的后续请求将不会在请求中发送该Cookie。

The AJAX call you are making, is making a request to a domain outside of the domain of the top level url(the url in the address bar). This results in it being a 3rd party cookie, by default Internet explorer won't persist a 3rd party cookie. Meaning that the cookie will come back in the Set-Cookie header on the first request, but subsequent requests that you make to that server will not have that cookie sent in the request.

像你说的，如果你直接到你的浏览器中的网址工作。这是因为在这种情况下它是第一方cookie。

Like you said, if you go directly to the url in your browser it works. This is because in this case it's a first party cookie.

为了使IE接受第三方cookie的服务器发送 SET-

In order for IE to accept 3rd party cookie's the server that is sending the SET-COOKIE header on it's response, must also have a P3P Policy Header set.

这里是一个例子，当你导航到CNN时，你将会通知其中一个请求是域名b.scorecardresearch.com，计分卡研究正在删除跟踪cookie，但此cookie被认为是第三方cookie。所以为了使它工作，他们还必须包括一个 p3p 头，请参阅下面的标题：

Here is an example, when you navigate to CNN, you will notice one of the requests it makes is to a domain name of b.scorecardresearch.com, scorecardresearch is dropping a tracking cookie, but this cookie is considered a 3rd party cookie. So in order to make it work they had to also in include a p3p header, see headers below:

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Date: Thu, 02 Dec 2010 19:57:16 GMT
Connection: keep-alive
Set-Cookie: UID=133a68a4-63.217.184.91-1288107038; expires=Sat, 01-Dec-2012 19:57:16 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

如果您要复制此标题并将其添加到响应，您会注意到cookie的开始工作，

If you were to copy this header and add it to the response, you would notice that the cookie's start working,

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"

最好是制作特定于您的业务的P3P标头， 。

It's best that you craft a P3P header specific for your business, but the above should work for testing purposes.

这篇关于浏览器能否响应XSS jquery.getJSON（）请求中的标头中指定的Set-Cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！