即使使用 P3P 标头,也无法在 IE 中的 IFRAME 中设置 cookie
我在这里看到了很多关于如何让 cookie 在 IE 中的 iframe 中工作的帖子,并且我已经尝试了几种解决方案,但到目前为止还没有运气。以下是我正在处理的内容:
我有一个通过 Javascript 在客户网站上创建的 iframe(一个小部件)。我无法控制客户的网站。我需要设置 cookie 以保持用户在 iframe 中登录,它在 Chrome 和 Firefox 中有效,但在 IE 7/8 中无效。我没有测试过 IE 6,但我认为它也有同样的问题。
我使用IBM的策略编辑器创建了一个P3P策略,编辑器说紧凑的策略在IE的安全性下是可以接受的,无论它设置为低、中还是高。我使用的CP是:
P3P:policyref="/w3c/p3p.xml" CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa CONi TELi OUR IND PHY ONL UNI COM NAV INT DEM CNT PRE" (我尝试过其他几个人们说有效的 CP,但结果没有看到任何差异。)
网络服务器(NGINX)正在提供服务此 P3P 标头包含每个文件。我不是通过代码提供它。
p3p.xml 文件存在并且与压缩策略匹配。 p3p.xml 使用 W3C P3P 验证器进行验证。
即使使用 P3P 标头(无论我尝试了哪一种),IE 也会在底部状态栏中显示“邪恶之眼”,并且不允许我设置 cookie。它们在隐私报告中显示为“已阻止”。
我阅读了 Piskvor 关于此主题的帖子:Cookie 被阻止/未保存在 Internet Explorer 的 IFRAME 中,但我有无法重现他在演示网站上所做的事情:http://newmoon.wz.cz/test/page.php?send_p3p=1。我想这是因为我受到了邪恶之眼的影响而他却没有。我已经做了我读到的所有建议来消除邪恶,但它仍然存在。嘲笑我。
如果您想尝试一下,我的测试页面在这里:http://truelike。 com/js/bobs/frametest.php 设置/读取页面在 iframe 外部查看时工作正常,但在使用 IE 时根本无法在内部工作。
作为参考,我在后端使用 PHP。
任何帮助将不胜感激 - 我们在这里变得绝望。
谢谢!
I've seen many posts here on how to get cookies to work inside an iframe in IE, and I've tried several of the solutions, but so far have had no luck. Here's what I'm dealing with:
I have an iframe that is created through Javascript on a customer's site (a widget.) I have no control of the customer's site. I need to set cookies to keep the user logged in within the iframe, and it works in Chrome and Firefox, but not in IE 7/8. I haven't tested IE 6, but I assume it has the same problem.
I created a P3P policy using IBM's policy editor, and the editor said that the compact policy was acceptable under IE's security, whether it's set to Low, Medium, or High. The CP I'm using is:
P3P: policyref="/w3c/p3p.xml" CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa CONi TELi OUR IND PHY ONL UNI COM NAV INT DEM CNT PRE" (I have tried several other CPs that people say work, but have seen no difference in the result.)
The webserver (NGINX) is serving this P3P header with every file. I am not serving it from code.
The p3p.xml file exists and matches the compact policy. The p3p.xml validates using the W3C P3P validator.
Even with the P3P header (no matter which one I tried), IE gives me the "evil eye" in the status bar at the bottom and will not let me set cookies. They show as Blocked in the privacy report.
I read Piskvor's post on SO about this topic: Cookie blocked/not saved in IFRAME in Internet Explorer but I have not been able to reproduce what he was able to do on his demo site: http://newmoon.wz.cz/test/page.php?send_p3p=1. I assume this is because I am getting the evil eye and he is not. I have done everything I've read about as a recommendation to get rid of th evil yet, yet it persists. Mocking me.
My test page is here if you want to try it out: http://truelike.com/js/bobs/frametest.php The set/read pages work fine when viewed outside of the iframe, but don't work at all inside when using IE.
For reference, I'm using PHP on the backend.
Any help at all would be much appreciated - we're getting desperate here.
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
所以,我自己解决了这个问题。看起来问题出在 NGINX 的 HTTPUserIDModule (http://wiki.nginx.org/HttpUserIdModule) 上。我一直在使用它来发送 P3P 标头,但是 nginx 没有一致地发送标头,可能是由于其文档中的这一行:
当我使用curl或lynx检查时,我看到了标题,但当我使用Firebug或Charles检查时,却没有看到标题。也许有一个配置选项可以解决这个问题,但我找不到它。
无论如何,如果您将标头指令从 HTTPUserIdModule 中拉出并仅在代码中手动发送标头,那么它就可以工作。如果您使用 HTTPHeadersModule http://wiki.nginx.org/HttpHeadersModule,但我还没有测试过。
一旦它通过代码工作,我发现我不需要所有文件上的标头 - 仅在文件设置/获取 cookie 上有它就足够了,这与我见过的很多建议相反。
而且,我的 CP 显然太激进了,尽管 IBM 的政策编辑说没关系。我使用了一个更基本的 CP,效果很好。
So, I resolved this myself. It looks like the problem was with NGINX's HTTPUserIDModule (http://wiki.nginx.org/HttpUserIdModule). I had been using that to send the P3P header, but nginx wasn't sending the header consistently, perhaps due to this line in their documentation:
I was seeing the headers come through when checking with curl or lynx, but not when I checked with Firebug or Charles. Perhaps there is a config option to fix this, but I couldn't find it.
Anyway, if you pull the header directive OUT of the HTTPUserIdModule and just send the header manually in code, it works. It would probably work if you manually send the header using the HTTPHeadersModule http://wiki.nginx.org/HttpHeadersModule, but I haven't tested this yet.
Once it was working through code, I saw that I didn't need the header on all files - having it only on the files setting/getting cookies was enough, contrary to a lot of the advice I've seen.
Also, my CP was apparently too aggressive, despite IBM's policy editor saying it was okay. I used a more basic CP, and that worked.
nginx 0.8.20 的变化
错误修复:“Set-Cookie”和“P3P”FastCGI 响应标头行已更改
如果没有“fastcgi_hide_header”指令,则在缓存时不会隐藏
与任何参数一起使用。
Nginx 更改日志
Changes with nginx 0.8.20
Bugfix: the "Set-Cookie" and "P3P" FastCGI response header lines were
not hidden while caching if no "fastcgi_hide_header" directives were
used with any parameters.
Nginx Changes log