jQuery.getJSON 可以将域的 cookie 放入其发出的请求的标头中吗?
(注意:另请参阅相关问题浏览器可以对 XSS jquery.getJSON() 请求标头中指定的 Set-Cookie 做出反应吗?)
我似乎无法设置 cookie(其名称为 < JSON 操作的请求标头中的 href="http://mql.freebaseapps.com/ch06.html#id2972569" rel="nofollow noreferrer">mwLastWriteTime)。该请求本身是 Freebase MQL 教程中的一个简单请求,并且在其他方面工作正常:
// Invoke mqlread and call the function below when it is done.
// Adding callback=? to the URL makes jQuery do JSONP instead of XHR.
jQuery.getJSON("http://api.sandbox-freebase.com/api/service/mqlread?callback=?",
{query: JSON.stringify(envelope)}, // URL parameters
displayResults); // Callback function
我希望我可以使用以下内容设置此 cookie:
$.cookie('mwLastWriteTime', value, {domain: ".sandbox-freebase.com"});
不幸的是,在 FireBug 中查看传出请求标头时,我只看到:
Host api.sandbox-freebase.com
User-Agent [...]
Accept */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive
Referer [...]
但是如果我没有指定域(或者如果我明确指定请求站点的域),我可以让 mwLastWriteTime 显示在本地请求的标头中。由于 .sandbox-freebase.com 域拥有这些 cookie,它们不应该与 GET 一起传输吗?或者是否需要某种解决方法?
我的代码都是 JavaScript,我想设置这个 cookie,然后立即调用 getJSON。
(Note: See also the related question Can browsers react to Set-Cookie specified in headers in an XSS jquery.getJSON() request?)
I can't seem to set a cookie (whose name is mwLastWriteTime) in the request header of a JSON operation. The request itself is a simple one from the Freebase MQL tutorials, and it is working fine otherwise:
// Invoke mqlread and call the function below when it is done.
// Adding callback=? to the URL makes jQuery do JSONP instead of XHR.
jQuery.getJSON("http://api.sandbox-freebase.com/api/service/mqlread?callback=?",
{query: JSON.stringify(envelope)}, // URL parameters
displayResults); // Callback function
I'd hoped that I could set this cookie with something along the lines of:
$.cookie('mwLastWriteTime', value, {domain: ".sandbox-freebase.com"});
Unfortunately, looking in FireBug at the outgoing request header I see only:
Host api.sandbox-freebase.com
User-Agent [...]
Accept */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive
Referer [...]
But if I don't specify the domain (or if I explicitly specify the domain of the requesting site) I can get mwLastWriteTime to show up in the headers for local requests. Since the .sandbox-freebase.com domain owns these cookies, shouldn't they be traveling along with the GET? Or does one need a workaround of some sort?
My code is all JavaScript, and I would like to set this cookie and then call the getJSON immediately afterward.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您无法设置跨域 cookie,因为这会打开浏览器(因此用户)到 XSS 攻击。
引用我上面引用的 QuirksMode.org 文章:
如果您想使用 cookie 值发出跨站点请求,您需要在您控制的服务器上设置一个特殊的代理,该代理将允许您传入要作为 cookie 值发送的值(可能通过 POST 参数)。您还需要确保正确保护它,以免您的代理成为“释放”他人私人信息的手段。
You cannot set a cross-domain cookie, because that would open the browser (and therefore the user) to XSS attacks.
To quote from the QuirksMode.org article that I reference above:
If you want to make cross-site request with cookie values you will need to set up a special proxy on a server you control that will let you pass in values to be sent as cookie values (probably via POST parameters). You'll also want to make sure that you properly secure it, lest your proxy become the means by which someone else's private information is "liberated".
您是否通过本地主机运行所有测试?你用的是IE吗?如果是这样,它将执行自己特殊品牌的安全要求,并可能会转储您的 cookie。打开 fiddler 并使用 http://ipv4.fiddler 绕过它。
如果这种类型的欺骗行为没有发生(因为看起来您正在使用 FireFox),那么您也可能确实需要显式地将 cookie 的域设置为与 JSON 请求的域相同。浏览器不会将为域 A 设置的 cookie 发送到对域 B 的请求。不过,我不能 100% 确定情况确实如此。
Are you running all of your tests through localhost? Are you using IE? If so it will be enforcing its own special brand of security requirements and likely dumping your cookies. Open fiddler and use http://ipv4.fiddler to bypass that.
If that type of trickery is not going on (as it appears you are using FireFox) , it may also be the case that you do need to explicitely set the cookie's domain to be the same as the domain of your JSON request. A browser won't send cookies set for domain A to a request to domain B. I am not 100% sure this is the case though.