Facebook 如何为画布页面上的 iFrame 设置跨域 cookie? [英] How does Facebook set cross-domain cookies for iFrames on canvas pages?

问题描述

我正在浏览 Facebook 的关于画布应用程序的文档，我遇到了一个示例应用程序:http://developers.facebook.com/docs/samples/canvas.然而，当我阅读他们的示例时，我对他们在 iframe 应用程序中使用 cookie 感到非常困惑.

I was browsing Facebook's documentation reading about canvas applications and I came across an example application: http://developers.facebook.com/docs/samples/canvas. As I read through their example, however, I got very confused about their use of cookies in the iframe application.

一点背景故事...

我已经尝试将 iframe 用于可嵌入的小部件(与 Facebook 无关)，我发现一些浏览器(Chrome、Safari 等)有严格的 cookie 政策，并且不允许在 iframe 中设置跨域 cookie(另一方面，Firefox 允许 iframe 在 iframe 中设置跨域 cookie).例如，如果 foo.com 有一个带有 src="http://bar.com/widget" 的 iframe，则 iframe 小部件将无法为 bar.com 设置任何 cookie，因此将有麻烦在 iframe 中保持状态:bar.com 会将来自小部件的每个请求(包括 ajax 请求)解释为没有建立会话的新请求.我苦苦挣扎，并通过使用 JSONP 和 javascript 为 foo.com 设置 cookie 找到了解决此问题的方法......

I had already played around with using iframes for embeddable widgets (unrelated to Facebook) and I found out a few browsers (Chrome, Safari, etc.) have strict cookie policies and don't allow cross-domain cookies set in iframes (Firefox, on the other hand, allows iframes to set cross-domain cookies in iframes). For example, if foo.com has an iframe with src="http://bar.com/widget" the iframe widget will not be able to set any cookies for bar.com and therefore will have trouble persisting state within the iframe: bar.com will interpret every request (including ajax requests) from the widget as a fresh request without an established session. I struggled, and found a way around this by using JSONP and javascript to set cookies for foo.com instead...

……等等?

好吧，我正在查看示例 canvas iframe Facebook 应用程序，我注意到他们的应用程序(托管在 runwithfriends.appspot.com 上)能够设置一个 cookie，u，与当前用户的id 以及 runwithfriends.appspot.com 域的一些其他参数.它会随每个请求发送此 cookie……它在 Chrome 和 Firefox 中都可以使用！跆拳道?Facebook 如何绕过 Chrome 上的跨域 cookie 限制?

Well, I was looking at the example canvas iframe Facebook application and I noticed that their application (hosted on runwithfriends.appspot.com) is able to set a cookie, u, with the current user's id along with a few other parameters for the runwithfriends.appspot.com domain. It sends this cookie with every request... and it works in both Chrome and Firefox! WTF? How does Facebook get around the cross-domain cookie restrictions on Chrome?

(我现在已经知道答案了，但我认为这可能对任何努力想出相同问题的人都有帮助——我会在下面发布答案.)

(I already know the answer now, but I thought this might be helpful for anyone struggling to figure out the same thing -- I'll post the answer below.)

推荐答案

因此 iFrame 实际上并未为 runwithfriends.appspot.com 域设置 u cookie.Facebook 所做的是创建一个表单，<form action="runwithfriends.appspot.com/..." target="name_of_iframe" method="POST"> 并使用 javascript 提交页面加载时的表单.由于表单的目标是 iframe，它不会重新加载页面......它只是加载带有 POST 响应的 iframe.显然，即使 Chrome 和其他具有严格 cookie 策略的浏览器也会为跨域请求设置 cookie，如果它们是 POST 请求......

So the iFrame isn't actually setting the u cookie for the runwithfriends.appspot.com domain. What Facebook does is it creates a form, <form action="runwithfriends.appspot.com/..." target="name_of_iframe" method="POST"> and uses javascript to submit the form on page load. Since the form's target is the iframe, it doesn't reload the page... it just loads the iframe with the POST's response. Apparently even Chrome and other browsers with strict cookie policies set cookies for cross domain requests if they are POST requests...

这篇关于Facebook 如何为画布页面上的 iFrame 设置跨域 cookie?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！