jQuery.getJSON 可以将域的 cookie 放入其发出的请求的标头中吗?

发布于 2024-10-04 02:05:25 字数 1405 浏览 6 评论 0原文

(注意:另请参阅相关问题浏览器可以对 XSS jquery.getJSON() 请求标头中指定的 Set-Cookie 做出反应吗?

我似乎无法设置 cookie(其名称为 < JSON 操作的请求标头中的 href="http://mql.freebaseapps.com/ch06.html#id2972569" rel="nofollow noreferrer">mwLastWriteTime)。该请求本身是 Freebase MQL 教程中的一个简单请求,并且在其他方​​面工作正常:

// Invoke mqlread and call the function below when it is done.
// Adding callback=? to the URL makes jQuery do JSONP instead of XHR.
jQuery.getJSON("http://api.sandbox-freebase.com/api/service/mqlread?callback=?",
{query: JSON.stringify(envelope)},   // URL parameters
displayResults);                     // Callback function

我希望我可以使用以下内容设置此 cookie:

$.cookie('mwLastWriteTime', value, {domain: ".sandbox-freebase.com"});

不幸的是,在 FireBug 中查看传出请求标头时,我只看到:

Host    api.sandbox-freebase.com
User-Agent  [...]
Accept  */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive  115
Connection  keep-alive
Referer [...]

但是如果我没有指定域(或者如果我明确指定请求站点的域),我可以让 mwLastWriteTime 显示在本地请求的标头中。由于 .sandbox-freebase.com 域拥有这些 cookie,它们不应该与 GET 一起传输吗?或者是否需要某种解决方法?

我的代码都是 JavaScript,我想设置这个 cookie,然后立即调用 getJSON。

(Note: See also the related question Can browsers react to Set-Cookie specified in headers in an XSS jquery.getJSON() request?)

I can't seem to set a cookie (whose name is mwLastWriteTime) in the request header of a JSON operation. The request itself is a simple one from the Freebase MQL tutorials, and it is working fine otherwise:

// Invoke mqlread and call the function below when it is done.
// Adding callback=? to the URL makes jQuery do JSONP instead of XHR.
jQuery.getJSON("http://api.sandbox-freebase.com/api/service/mqlread?callback=?",
{query: JSON.stringify(envelope)},   // URL parameters
displayResults);                     // Callback function

I'd hoped that I could set this cookie with something along the lines of:

$.cookie('mwLastWriteTime', value, {domain: ".sandbox-freebase.com"});

Unfortunately, looking in FireBug at the outgoing request header I see only:

Host    api.sandbox-freebase.com
User-Agent  [...]
Accept  */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive  115
Connection  keep-alive
Referer [...]

But if I don't specify the domain (or if I explicitly specify the domain of the requesting site) I can get mwLastWriteTime to show up in the headers for local requests. Since the .sandbox-freebase.com domain owns these cookies, shouldn't they be traveling along with the GET? Or does one need a workaround of some sort?

My code is all JavaScript, and I would like to set this cookie and then call the getJSON immediately afterward.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

女皇必胜 2024-10-11 02:05:25

无法设置跨域 cookie,因为这会打开浏览器(因此用户)到 XSS 攻击。

引用我上面引用的 QuirksMode.org 文章

请注意,此目的
域是为了允许cookies交叉
子域。我的饼干不会
通过 search.quirksmode.org 阅读,因为
它的域名是 www.quirksmode.org 。
当我将域设置为
quirksmode.org,搜索子域
也可以读取cookie。我无法设置
将 cookie 域更改为我不是的域
在,我无法创建域名
www.microsoft.com 。仅有的
quirksmode.org 是允许的,在此
案例。

如果您想使用 cookie 值发出跨站点请求,您需要在您控制的服务器上设置一个特殊的代理,该代理将允许您传入要作为 cookie 值发送的值(可能通过 POST 参数)。您还需要确保正确保护它,以免您的代理成为“释放”他人私人信息的手段。

You cannot set a cross-domain cookie, because that would open the browser (and therefore the user) to XSS attacks.

To quote from the QuirksMode.org article that I reference above:

Please note that the purpose of the
domain is to allow cookies to cross
sub-domains. My cookie will not be
read by search.quirksmode.org because
its domain is www.quirksmode.org .
When I set the domain to
quirksmode.org, the search sub-domain
may also read the cookie. I cannot set
the cookie domain to a domain I'm not
in, I cannot make the domain
www.microsoft.com . Only
quirksmode.org is allowed, in this
case.

If you want to make cross-site request with cookie values you will need to set up a special proxy on a server you control that will let you pass in values to be sent as cookie values (probably via POST parameters). You'll also want to make sure that you properly secure it, lest your proxy become the means by which someone else's private information is "liberated".

夏尔 2024-10-11 02:05:25

您是否通过本地主机运行所有测试?你用的是IE吗?如果是这样,它将执行自己特殊品牌的安全要求,并可能会转储您的 cookie。打开 fiddler 并使用 http://ipv4.fiddler 绕过它。

如果这种类型的欺骗行为没有发生(因为看起来您正在使用 FireFox),那么您也可能确实需要显式地将 cookie 的域设置为与 JSON 请求的域相同。浏览器不会将为域 A 设置的 cookie 发送到对域 B 的请求。不过,我不能 100% 确定情况确实如此。

Are you running all of your tests through localhost? Are you using IE? If so it will be enforcing its own special brand of security requirements and likely dumping your cookies. Open fiddler and use http://ipv4.fiddler to bypass that.

If that type of trickery is not going on (as it appears you are using FireFox) , it may also be the case that you do need to explicitely set the cookie's domain to be the same as the domain of your JSON request. A browser won't send cookies set for domain A to a request to domain B. I am not 100% sure this is the case though.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文