Internet Explorer中的Cookie已阻止/未保存在IFRAME中 [英] Cookie blocked/not saved in IFRAME in Internet Explorer
问题描述
我有两个网站,假设他们 example.com 和 anotherexample.net 。
在 anotherexample.net/page.html ,我有一个 IFRAME SRC =http://example.com/someform.asp 。该IFRAME显示一个表单供用户填写并提交到 http://example.com/process.asp 。当我在自己的浏览器窗口中打开窗体( someform.asp )时,所有工作都很好。
然而,当我在IE 6或IE 7中将 someform.asp 作为IFRAME加载时,example.com的cookie不会被保存。 strong>在Firefox中,不会出现此问题。
为了测试的目的,我在是一个很好的起点。我已经过了,下载了 IBM隐私政策编辑器,并在那里创建了一个表示隐私政策,并给它一个名称(这里是 policy1 )。
注意:此时,您实际上需要确定您的网站是否有隐私权政策,如果没有,请创建 - 它收集用户数据,什么样的数据,它做什么,谁访问它,等等。你需要找到这个信息和认为。 此步骤不能纯粹通过软件完成,而且可能具有高度政治性(例如我们应该销售点击统计信息吗?)。
(例如,该站点由ACME有限公司运营,它使用匿名的每会话标识符进行操作,仅在明确允许的情况下才收集用户数据,并且仅出于以下目的,数据存储只要有需要,只有我们公司可以访问它等。)。
(使用此工具进行编辑时,可以查看政策中的错误/遗漏)也非常有用的是HTML策略标签: 策略评估 - 快速检查策略是否会被IE的默认设置阻止)
编辑器导出到.p3p文件,这是一个XML表示形式上述政策。
链接到政策
然后a需要政策参考文件( http://example.com/w3c/p3p.xml )(网站使用的隐私权政策索引):
< META>
< POLICY-REFERENCES>
< POLICY-REF about =/ w3c / example-com.p3p#policy1>
< INCLUDE> /< / INCLUDE>
< COOKIE-INCLUDE />
< / POLICY-REF>
< / POLICY-REFERENCES>
< / META>
< INCLUDE> 显示所有URI将使用此策略(在我的情况下,整个网站)。我从编辑器导出的政策文件已上传到 http://example.com/w3c/example-com.p3p
发送带有响应的精简头
我设置了web服务器在example.com发送带有响应的精简头,如下所示: p>
HTTP / 1.1 200 OK
P3P:policyref =/ w3c / p3p.xml,CP =IDC DSP COR IVAi IVDi OUR TST
// ...其他标题和内容
policyref 是策略参考文件的相对URI(反过来引用隐私策略), CP 是紧凑策略表示。 请注意,示例中的P3P标头的组合可能不适用于您的特定网站;您的P3P标头必须真实地代表您自己的隐私权政策!
利润!
,没有出现凶眼,即使在IFRAME中也保存cookie,并且应用程序可以正常工作。
编辑:什么不要做,除非你喜欢防御诉讼
有几个人建议只要将一些标签贴到您的P3P标题中,直到邪恶之眼放弃。
这些标签不仅仅是一堆,而且还具有现实世界的意义,而且它们的使用给予您现实世界的责任!
例如,假装您从不收集用户数据可能会使浏览器更加快乐,但如果您实际收集用户数据,则P3P与现实冲突。简单而简单,您有意向用户倾诉,这在某些国家/地区可能是犯罪行为。
但我不愿意去法庭看看P3P标题是否真的具有法律约束力,或者如果你可以承诺你的用户任何东西,而实际上不愿意兑现你的承诺。
I have two websites, let's say they're example.com and anotherexample.net.
On anotherexample.net/page.html, I have an IFRAME SRC="http://example.com/someform.asp". That IFRAME displays a form for the user to fill out and submit to http://example.com/process.asp. When I open the form ("someform.asp") in its own browser window, all works well.
However, when I load someform.asp as an IFRAME in IE 6 or IE 7, the cookies for example.com are not saved. In Firefox this problem doesn't appear.
For testing purposes, I've created a similar setup on http://newmoon.wz.cz/test/page.php .
example.com uses cookie-based sessions (and there's nothing I can do about that), so without cookies, process.asp won't execute. How do I force IE to save those cookies?
Results of sniffing the HTTP traffic: on GET /someform.asp response, there's a valid per-session Set-Cookie header (e.g. Set-Cookie: ASPKSJIUIUGF=JKHJUHVGFYTTYFY), but on POST /process.asp request, there is no Cookie header at all.
Edit3: some AJAX+serverside scripting is apparently capable to sidestep the problem, but that looks very much like a bug, plus it opens a whole new set of security holes. I don't want my applications to use a combination of bug+security hole just because it's easy.
Edit: the P3P policy was the root cause, full explanation below.
I got it to work, but the solution is a bit complex, so bear with me.
What's happening
As it is, Internet Explorer gives lower level of trust to IFRAME pages (IE calls this "third-party" content). If the page inside the IFRAME doesn't have a Privacy Policy, its cookies are blocked (which is indicated by the eye icon in status bar, when you click on it, it shows you a list of blocked URLs).
In this case, when cookies are blocked, session identifier is not sent, and the target script throws a 'session not found' error.
(I've tried setting the session identifier into the form and loading it from POST variables. This would have worked, but for political reasons I couldn't do that.)
It is possible to make the page inside the IFRAME more trusted: if the inner page sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted.
How to solve it
Create a p3p policy
A good starting point is the W3C tutorial. I've gone through it, downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by (here it was policy1).
NOTE: at this point, you actually need to find out if your site has a privacy policy, and if not, create it - whether it collects user data, what kind of data, what it does with it, who has access to it, etc. You need to find this information and think about it. Just slapping together a few tags will not cut it. This step cannot be done purely in software, and may be highly political (e.g. "should we sell our click statistics?").
(e.g. "the site is operated by ACME Ltd., it uses anonymous per-session identifiers for its operation, collects user data only if explicitly permitted and only for the following purposes, the data is stored only as long as necessary, only our company has access to it, etc. etc.").
(When editing with this tool, it's possible to view errors/omissions in the policy. Also very useful is the tab "HTML Policy": at the bottom, it has a "Policy Evaluation" - a quick check if the policy will be blocked by IE's default settings)
The Editor exports to a .p3p file, which is an XML representation of the above policy. Also, it can export a "compact version" of this policy.
Link to the policy
Then a Policy Reference file (http://example.com/w3c/p3p.xml) was needed (an index of privacy policies the site uses):
<META>
<POLICY-REFERENCES>
<POLICY-REF about="/w3c/example-com.p3p#policy1">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
The <INCLUDE> shows all URIs that will use this policy (in my case, the whole site). The policy file I've exported from the Editor was uploaded to http://example.com/w3c/example-com.p3p
Send the compact header with responses
I've set the webserver at example.com to send the compact header with responses, like this:
HTTP/1.1 200 OK
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR IVAi IVDi OUR TST"
// ... other headers and content
policyref is a relative URI to the Policy Reference file (which in turn references the privacy policies), CP is the compact policy representation. Note that the combination of P3P headers in the example may not be applicable on your specific website; your P3P headers MUST truthfully represent your own privacy policy!
Profit!
In this configuration, the Evil Eye does not appear, the cookies are saved even in the IFRAME, and the application works.
Edit: What NOT to do, unless you like defending from lawsuits
Several people have suggested "just slap some tags into your P3P header, until the Evil Eye gives up".
The tags are not only a bunch of bits, they have real world meanings, and their use gives you real world responsibilities!
For example, pretending that you never collect user data might make the browser happy, but if you actually collect user data, the P3P is conflicting with reality. Plain and simple, you are purposefully lying to your users, and that might be criminal behavior in some countries. As in, "go to jail, do not collect $200".
A few examples (see p3pwriter for the full set of tags):
- NOI : "Web Site does not collected identified data." (as soon as there's any customization, a login, or any data collection (***** Analytics, anyone?), you must acknowledge it in your P3P)
- STP: Information is retained to meet the stated purpose. This requires information to be discarded at the earliest time possible. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy." (so if you send
STPbut don't have a retention policy, you may be committing fraud. How cool is that? Not at all.)
I'm not a lawyer, but I'm not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises.
这篇关于Internet Explorer中的Cookie已阻止/未保存在IFRAME中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
