是否有针对Safari iOS“防止跨站点跟踪"的变通办法?选项，从不同域上的API发出cookie时? [英] Is there a workaround for Safari iOS "Prevent Cross Site Tracking" option, when issuing cookies from API on different domain?

问题描述

是否有任何变通办法可以让我保持阻止跨站点Trackng"选项处于启用状态(默认情况下，因此每个用户都将其启用)，并从处于打开状态的我的后端api发出CORS cookie与我的角度应用程序不同的域?

Is there any workarounds that allows me to keep the "Prevent Cross Site Trackng" option enabled (as it is by default, so every user will have it on), and issue CORS cookies from my back-end api that is on a different domain than my angular app?

我的申请流程如下: 1.用户登录 2.服务器进行身份验证，发出JWT并将JWT存储在HttpOnly cookie中 3.所有角度请求均带有{withCredentials: true}

My application flow is as follow: 1. User Logs in 2. The server authenticates, issues a JWT and stores the JWT inside of an HttpOnly cookie 3. All angular requests have the {withCredentials: true}

这在.... Windows桌面浏览器上工作得很好.但是，当我尝试在Safari iOS和Mac Safari上登录时，cookie不会保存，也不会随后续请求一起发送.

This works perfectly fine on....windows desktop browsers. However when I try to login on Safari iOS, and mac Safari the cookie is not saved nor is it sent with subsequent requests.

我发现禁用阻止跨站点跟踪"选项是可行的，但是我不能期望所有用户都禁用此选项以使用我的应用程序.

I found that disabling "Prevent Cross Site Tracking" option works, but I cannot expect all of my users to disabled this option to use the my app.

现在有任何解决方法吗?

Are there any workarounds for this right now?

推荐答案

我建议将您的网站和api放在同一个域中，例如 https://web.mydomain.com 和

I'd suggest puting both your website and the api on the same domain, e.g. https://web.mydomain.com and https://api.mydomain.com. This shouldn't be too difficult to implement - I haven't found any simple technical solutions online yet that will force Safari on iOS to allow this without changing the settings.

这篇关于是否有针对Safari iOS“防止跨站点跟踪"的变通办法?选项，从不同域上的API发出cookie时?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！