CORS,withCredentials和第三方Cookie [英] CORS, withCredentials and third party cookies
问题描述
我正在尝试做一个CORS GET,该cookie随同Cookie一起发送。我已经设置了所有标头( access-control-allow-origin , access-control-allow-credentials ,服务器中的 access-control-allow-headers ),并且正在使用 withCredentials:true 和 crossDomain:true 在jquery ajax请求中。当我告诉浏览器允许第三方cookie时,一切正常。有什么方法可以做到,而不会强迫访问者允许第三方Cookie?我什至尝试重定向用户并重定向回,但CORS会拒绝发送cookie。 :/
I'm trying to do a CORS GET that sends the cookie along with it. I've set all the headers (access-control-allow-origin, access-control-allow-credentials, access-control-allow-headers) in the server and am using withCredentials: true and crossDomain: true in the jquery ajax request. Everything works when I tell my browser to allow third-party cookies. Is there any way to do this without forcing visitors to allow third party cookies? I've even tried redirecting the user and redirecting back, but CORS will refuse to send the cookie along. :/
我尝试通过ajax和iframe进行CORS请求。
I've tried doing the CORS request via ajax, as well as via an iframe.
推荐答案
我认为不可能。请参阅我的(旧但相关的)博客文章。
唯一的防弹方法是使用第一方Cookie(即在顶层窗口(如单独的选项卡)中打开窗口,或重定向当前窗口)。
I don't think it is possible. See my (old but relevant) blog post on this. The only bullet-proof way is to use 1st-party cookies (that is, open window in a top-level window like a separate tab, or redirect current window).
在某些情况下不是必需的。浏览器对什么是第三方Cookie的概念略有不同,默认行为也有所不同。 这篇文章很好地概述了这些细节。因此,在某些情况下,您可以做一些技巧来启用(或至少检测到)页面上的cookie。
In some cases it is not necessary though. Browsers have slightly different notions of what third-party cookie is, and default behavior is also different. This post has a nice overview on these details. So in some cases you could do tricks to enable (or at least detect) use of cookies on the page.
其他解决方法包括将一台服务器置于另一台服务器的子域下(通常不将子域视为第三方),或者更改流量以使用户通过Cookie以外的其他方式进行身份验证。
Other workarounds include putting one server under a subdomain of the other (subdomains are usually not considered 3rd-party), or changing the flow so that the user is authenticated by other means than cookies.
这篇关于CORS,withCredentials和第三方Cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
