Set-Cookie标头无法跨域工作 [英] Set-Cookie header not working across domain
问题描述
我在 https://aaa.shared.com
网站上。该网站(称为 A
)发送 xhr
请求以发送 https:// zzzz .shared.com / some / path
(网站 Z
)并收到带有以下标头的响应:
I am on a website https://aaa.shared.com
. This website (call it A
) sends an xhr
request to url https://zzz.shared.com/some/path
(website Z
) and receives a response with the following headers:
access-control-allow-credentials: true
access-control-allow-origin: aaa.shared.com
set-cookie: foo=bar; expires=Fri, 01 Jan 2100 00:00:00 GMT; path=/; secure; samesite=none; httponly
(我关注了此问题的答案以添加访问控制
标头)
(I followed answer on this question to add access-control
headers)
现在,我期望的是,无论我同时在A还是Z上,只要请求到Z (跨域或同源),重要的是请求)浏览器会添加Cookie,但不会!此外,我看不到它是在浏览器开发人员工具(F12->应用程序-> Cookies)中设置的。我使用的是Chrome,但目标是跨浏览器解决方案。
Now, what I would expect is that whenever I am on both A or Z, whenever a request goes to Z (cross-origin or same-origin, what matters is URL of the request) browser would add the cookie, but it doesn't! Moreover, I cannot see it being set in browser Developer Tools (F12 -> Application -> Cookies). I am using Chrome, but aiming for a cross browser solution.
我缺少什么?我发现很难找到有关 Set-Cookie
标头在请求其他来源时如何工作的详细信息。
What am I missing? I am finding it really hard to find some elaborate information on how Set-Cookie
header works when requesting a different origin.
编辑: rowan_z
最初建议将 samesite = lax
替换为 samesite = none
,因为该问题的第一个版本中的A和Z是完全独立的域(仅共享 .com
部分)。我尝试过,但没有帮助。但是现在我意识到,它们实际上被视为 SameSite
,因为它们位于 shared.com
域的不同子域中。所以现在我相信 samesite = lax
也应该在这里工作。
rowan_z
originally suggested to replace samesite=lax
to samesite=none
, as A and Z in the first version of this question were completely separate domains (shared only .com
part). I tried it and it didn't help. But now I realise that they are actually regarded as SameSite
, because they are on the different subdomains of shared.com
domain. So now I believe that samesite=lax
should have worked here as well.
更新:
在最后,我只是将应用程序 aaa.shared.com
移到了相同子域中,路径为 zzz.shared.com/aaa/path
,因为处理Cookie和CORS确实很困难。另外,将其配置为与 localhost
一起使用会增加额外的麻烦。
UPDATE:
In the end, I just moved the application aaa.shared.com
under same subdomain with some path zzz.shared.com/aaa/path
, as dealing with cookies and CORS is really tough. Also, configuring it to work with localhost
adds extra complications.
推荐答案
确实需要使之生效:
-
访问权限-control-allow-credentials:true
-
access-control-allow-origin:aaa.shared.com
(不是通配符) -
安全
-
SameSite = None
access-control-allow-credentials: true
access-control-allow-origin: aaa.shared.com
(not a wildcard)Secure
SameSite=None
发送请求时,您只是想念一件事:凭据:包括 。
You were just missing one thing when sending the request: credentials: 'include'.
我创建了一个模拟终结点,您可以使用该终结点两次(在另一个域的控制台中)测试这一行代码:
I've created a mock endpoint that you can use to test this line of code twice (in the console of another domain):
fetch('https://stackoverflow.free.beeceptor.com', { credentials: 'include' });
您会注意到Cookie将第二次发送。
You'll notice the cookie will be sent the second time.
如果模拟端点过期(不知道它会持续多久),或者有人将其销毁,则可以在 http://beeceptor.com ,其标头配置中包含以下JSON:
In case the mock endpoint expires (no idea how long it lasts), or if someone destroys it, you can recreate it on http://beeceptor.com with this JSON in the header configuration:
{
"Content-Type": "application/json",
"Set-Cookie": "test=value; Path=/; Secure; SameSite=None;",
"access-control-allow-origin": "https://yourdomain",
"Access-Control-Allow-Credentials": "true"
}
这篇关于Set-Cookie标头无法跨域工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!