jQuery.getJSON可以将域中的Cookie放在请求的头部吗? [英] Can jQuery.getJSON put a domain's cookies in the header of the request it makes?
问题描述
我似乎无法设置cookie(其名称为 mwLastWriteTime )在JSON操作的请求头中。这个请求本身是Freebase MQL教程中的一个简单的例子,而且它运行正常,否则:
pre $ //调用mqlread和调用下面的功能完成后。
//添加回叫=?到URL使jQuery做JSONP而不是XHR。
jQuery.getJSON(http://api.sandbox-freebase.com/api/service/mqlread?callback=?,
{query:JSON.stringify(envelope)},// URL参数
displayResults); //回调函数
我希望我可以设置这个cookie,
$。cookie('mwLastWriteTime',value,{domain:.sandbox-freebase.com});
不幸的是,在传出请求头文件的FireBug中,我只看到:
主机api.sandbox-freebase.com
用户代理[...]
接受* / *
接受-Language en-us,en; q = 0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8; q = 0.7,*; q = 0.7
Keep-Alive 115
连接保持活动
Referer [...]
<但是,如果我没有指定域(或者如果我明确指定请求站点的域),我可以得到 mwLastWriteTime 显示在本地请求。由于 .sandbox-freebase.com 域拥有这些cookie,它们不应该与GET一起旅行吗?还是需要一种解决方法?
我的代码是所有的JavaScript,我想设置这个cookie,然后立即调用getJSON。
您不能设置跨域Cookie ,因为这样会打开浏览器(也就是用户)到XSS攻击。
要引用 QuirksMode.org文章我上面提到:
< blockquote>
请注意,
域的用途是允许cookie跨越
个子域。我的cookie不会被$
读取,因为
的域名是www.quirksmode.org。
当我将域设置为
quirksmode.org时,搜索子域
也可能读取cookie。我不能将
的cookie域设置为域名我不是
,我不能域名
www.microsoft.com。只有
quirksmode.org被允许,在这个
的情况下。
如果你想制作跨网站请求cookie值,您将需要在您控制的服务器上设置一个特殊的代理,这将允许您传递作为cookie值(可能通过POST参数)发送的值。您还需要确保您的安全,以免您的代理成为别人私人信息被解放的手段。
(Note: See also the related question Can browsers react to Set-Cookie specified in headers in an XSS jquery.getJSON() request?)
I can't seem to set a cookie (whose name is mwLastWriteTime) in the request header of a JSON operation. The request itself is a simple one from the Freebase MQL tutorials, and it is working fine otherwise:
// Invoke mqlread and call the function below when it is done.
// Adding callback=? to the URL makes jQuery do JSONP instead of XHR.
jQuery.getJSON("http://api.sandbox-freebase.com/api/service/mqlread?callback=?",
{query: JSON.stringify(envelope)}, // URL parameters
displayResults); // Callback function
I'd hoped that I could set this cookie with something along the lines of:
$.cookie('mwLastWriteTime', value, {domain: ".sandbox-freebase.com"});
Unfortunately, looking in FireBug at the outgoing request header I see only:
Host api.sandbox-freebase.com
User-Agent [...]
Accept */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive
Referer [...]
But if I don't specify the domain (or if I explicitly specify the domain of the requesting site) I can get mwLastWriteTime to show up in the headers for local requests. Since the .sandbox-freebase.com domain owns these cookies, shouldn't they be traveling along with the GET? Or does one need a workaround of some sort?
My code is all JavaScript, and I would like to set this cookie and then call the getJSON immediately afterward.
You cannot set a cross-domain cookie, because that would open the browser (and therefore the user) to XSS attacks.
To quote from the QuirksMode.org article that I reference above:
Please note that the purpose of the domain is to allow cookies to cross sub-domains. My cookie will not be read by search.quirksmode.org because its domain is www.quirksmode.org . When I set the domain to quirksmode.org, the search sub-domain may also read the cookie. I cannot set the cookie domain to a domain I'm not in, I cannot make the domain www.microsoft.com . Only quirksmode.org is allowed, in this case.
If you want to make cross-site request with cookie values you will need to set up a special proxy on a server you control that will let you pass in values to be sent as cookie values (probably via POST parameters). You'll also want to make sure that you properly secure it, lest your proxy become the means by which someone else's private information is "liberated".
这篇关于jQuery.getJSON可以将域中的Cookie放在请求的头部吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
