CORS请求与IE11 [英] CORS request with IE11

问题描述

我有一个CORS（跨源资源共享）请求，从我的登录页面到应用程序网站，位于不同的网址。我有一个简单的页面，我ping，以确定用户是否已经登录，如果是，重定向他们。否则，我显示登录页面。我使用jQuery。

I have a CORS (cross origin resource sharing) request coming from my login page to the application site, on a different URL. I have a simple page I ping to determine if a user is already logged in, and if so, redirects them. Otherwise I show a login page. I use jQuery.

这在safari，chrome，firefox ...而不是IE（自然）。根据MS，IE 10及更高版本应支持具有withCredentials的 CORS请求

This works great in safari, chrome, firefox... and not IE (naturally). According to MS, IE 10 and later should support CORS requests with withCredentials

我正在使用jquery-2.0.3.min.js

I'm using jquery-2.0.3.min.js

这在IE11中不工作？

Any ideas why this isn't working in IE11?

编辑：看起来好像它是部分工作，因为它现在返回值{id：false}。这发生在每一次，意味着服务器从来没有获得凭据。我也在发布我的is_logged_in页面，我使用的代码igniter框架。

It appears as though it IS partially working, as it is now returning a value of {"id":false}. This happens every time, meaning that the server is never getting the credentials. I am also posting my is_logged_in page, I am using the code igniter framework.

编辑：在IE的安全设置启用允许跨域的数据源接收任何错误讯息。

After enabling "Allow data sources across domains" under IE's security settings, I no longer receive any error messages.

我收到的确切错误是：

SEC7118：用于 http://mysite.net/guest/is_logged_in 所需的XMLHttpRequest跨源资源分享（CORS）。

SEC7118: XMLHttpRequest for http://mysite.net/guest/is_logged_in required Cross Origin Resource Sharing (CORS).

$.ajax({
url: 'http://mysite.net/guest/is_logged_in',
type: 'POST',
crossDomain: true,
xhrFields: {
       withCredentials: true
  },

dataType: 'json',
success: function(data) {

    if(data.id) {
        window.location.replace("http://mysite.net");
    }
}
});

和

public function is_logged_in()
{
    $allowed = array(
        'http://mysite.net',
        'http://www.mysite.net',
        'http://www.mysite.com',
    );

    $url = $_SERVER['HTTP_REFERER'];
    $url = substr($url, 0, strpos($url, '/', 8));
    if(isset($_SERVER['HTTP_ORIGIN']))
    {
        if(in_array($_SERVER['HTTP_ORIGIN'], $allowed))
        {
            $this->output->set_header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
        }
    }
    else
    {
        if(in_array($url, $allowed))
        {
            $this->output->set_header('Access-Control-Allow-Origin: ' . $url);
        }
    }


    $this->output->set_header('Access-Control-Allow-Headers: X-Requested-With');
    $this->output->set_header('Access-Control-Allow-Credentials: true');
    $this->output->set_header("Access-Control-Expose-Headers: Access-Control-Allow-Origin");


    //TODO: Try to detect if this is an ajax request, and disallow it if not.

    $data = new stdClass();
    $this->load->library("ion_auth");
    if($this->ion_auth->logged_in())
    {
        $data->name = $this->ion_auth->user()->row()->first_name;
        $data->id = $this->ion_auth->get_user_id();
    } else {
        $data->id = false;
    }

    $this->output->set_output(json_encode($data));

}

提前感谢

推荐答案

将跨域访问数据源的设置更改为已启用会关闭IE中的跨域检查，并且可怕地不安全。相反，您需要确保目标第三方资源向您发送有效的P3P策略，表示它不会对用户的隐私做可怕的事情。

Changing the setting for "Access data sources across domains" to Enabled turns off cross-domain checks in IE and is horrifically unsafe. Instead, you need to ensure that the target 3rd-party resource sends a valid P3P policy that indicates that it's not doing horrible things to the user's privacy.

这篇关于CORS请求与IE11的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！