PhoneGap中的Cookie标头：拒绝设置不安全标题“Cookie” [英] Cookie Header in PhoneGap: Refused to set unsafe header "Cookie"

问题描述

我正在开发一个与安全的.net服务器通信的PhoneGap应用程序。问题是，我似乎无法通过任何Cookie的任何请求（ W3C ）。

I'm developing a PhoneGap application that communicates with a secure .net server. The issue is, I can't seem to pass along any Cookies with any request (W3C).

这是我在做的（假设username和password工作）。

This is what I am doing (assume that "username" and "password" work).

var token;    
$.ajax({
        url: "https://server.com/AuthService/api/account/login",
        crossDomain: true,
        type: 'post',
        async: false,
        data: {
            username: "username",
            password: "password"
        }
    }).done(function(response) {
        token = response.securityToken;
        success = true;
    });

此时，我有一个身份验证令牌，可用于验证所有后续请求。所以使用该令牌我向服务器发出另一个请求...

At this point I have an authentication token that I can use to validate all subsequent requests. So using that token I make another request to the server...

$.ajax({
    url: "https://server.com/Service/api/search?query=" + query,
    headers: { Cookie: 'auth=' + token },
    crossDomain: true,
    withCredentials: true,
    type: 'POST',
    async: false,
    data: ' ' //because we don't want our request to be 0 bytes (the server is picky)
}).done(function(data) {
    result = data;
});

Chrome只是说：拒绝设置不安全的标题Cookie（遵守W3C规范）。应用程序未设置标头，因此请求401s，因为授权Cookie未发送。

Chrome just says: Refused to set unsafe header "Cookie" (which adheres to the W3C spec). The app doesn't set the header and as a result the request 401s because the authorization cookie is not sent.

我的问题是这是：有任何方式颠覆并覆盖PhoneGap上的Cookie头（或另一种方式去完全）。我知道使用授权头也是一个选项，但我有限的访问服务器（它不支持它），并希望一个更直接的解决方案。

My question is this: Is there any way to subvert this and override the Cookie header (or another way to go about it entirely) on PhoneGap? I know that using an Authorization header is also an option, but I have limited access to the server (which doesn't support it) and was hoping for a more immediate solution.

Bonus问题：对AuthService的调用也应该在设备上设置一个httpOnly cookie，但不是（我推测这是因为它是跨域请求）...我在这个假设是正确的，或者可能有服务器端有问题？

Bonus question: The call to the AuthService should also set an httpOnly cookie on the device, but does not (I speculate that this is because it is cross domain request)... Am I correct in this assumption, or could there be something wrong server side?

谢谢！

推荐答案

是否，您不能设置Cookie头。原因是Chrome是您的用户代理，因此HTTP规范要求不允许修改具有安全隐患的标头。

The short answer is no, you can't set the Cookie header. The reason for this is that Chrome is your User Agent, so it is required by the HTTP specification to disallow modifications to headers which have security implications.

一个解决方案是执行允许服务器在XmlHttpRequest对象上设置cookie的操作。你说你已经试图这样做，但它不工作。我怀疑这是因为你需要设置withCredentials你的ajax请求。添加xhrFields属性，如下所示。

One solution would be to perform an action that allows the server to set the cookie on your XmlHttpRequest object. You say you're already trying to do this but it's not working. I suspect that's because you need to set withCredentials on your ajax request. Add the xhrFields attribute, as follows.

var token;    
$.ajax({
    url: "https://server.com/AuthService/api/account/login",
    crossDomain: true,
    xhrFields: {withCredentials: true},
    type: 'post',
    async: false,
    data: {
        username: "username",
        password: "password"
    }
}).done(function(response) {
    token = response.securityToken;
    success = true;
});

现在只要响应服务器不发送通配符作为其CORS允许的域Control-Allow-Origin），您应该会收到Cookie。

Now as long as the responding server doesn't send a wildcard as its CORS allowed domains (Access-Control-Allow-Origin), you should receive the cookie.

这篇关于PhoneGap中的Cookie标头：拒绝设置不安全标题“Cookie”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！