javascript PhoneGap 中的 Cookie 标头:拒绝设置不安全的标头“Cookie”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17847283/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cookie Header in PhoneGap: Refused to set unsafe header "Cookie"
提问by evancohen
I'm developing a PhoneGap application that communicates with a secure .net server. The issue is, I can't seem to pass along any Cookies with any request (W3C).
我正在开发一个与安全 .net 服务器通信的 PhoneGap 应用程序。问题是,我似乎无法通过任何请求(W3C)传递任何 Cookie 。
This is what I am doing (assume that "username" and "password" work).
这就是我正在做的(假设“用户名”和“密码”有效)。
var token;
$.ajax({
url: "https://server.com/AuthService/api/account/login",
crossDomain: true,
type: 'post',
async: false,
data: {
username: "username",
password: "password"
}
}).done(function(response) {
token = response.securityToken;
success = true;
});
At this point I have an authentication token that I can use to validate all subsequent requests. So using that token I make another request to the server...
此时,我有一个身份验证令牌,可用于验证所有后续请求。所以使用该令牌我向服务器发出另一个请求......
$.ajax({
url: "https://server.com/Service/api/search?query=" + query,
headers: { Cookie: 'auth=' + token },
crossDomain: true,
withCredentials: true,
type: 'POST',
async: false,
data: ' ' //because we don't want our request to be 0 bytes (the server is picky)
}).done(function(data) {
result = data;
});
Chrome just says: Refused to set unsafe header "Cookie" (which adheres to the W3C spec). The app doesn't set the header and as a result the request 401s because the authorization cookie is not sent.
Chrome 只是说:拒绝设置不安全的标头“Cookie”(符合 W3C 规范)。该应用程序未设置标头,因此请求 401s,因为未发送授权 cookie。
My question is this: Is there any way to subvert this and override the Cookie header (or another way to go about it entirely) on PhoneGap? I know that using an Authorization header is also an option, but I have limited access to the server (which doesn't support it) and was hoping for a more immediate solution.
我的问题是:有没有办法在 PhoneGap 上颠覆这一点并覆盖 Cookie 标头(或其他完全解决它的方法)?我知道使用 Authorization 标头也是一种选择,但是我对服务器的访问权限有限(不支持它)并且希望有一个更直接的解决方案。
Bonus question: The call to the AuthService should also set an httpOnly cookie on the device, but does not (I speculate that this is because it is cross domain request)... Am I correct in this assumption, or could there be something wrong server side?
额外问题:对 AuthService 的调用也应该在设备上设置一个 httpOnly cookie,但没有(我推测这是因为它是跨域请求)......我在这个假设中是否正确,或者可能有什么问题服务器端?
Thanks!
谢谢!
采纳答案by Erin Spiceland
The short answer is no, you can't set the Cookie header. The reason for this is that Chrome is your User Agent, so it is required by the HTTP specification to disallow modifications to headers which have security implications.
简短的回答是否定的,您不能设置 Cookie 标头。这样做的原因是 Chrome 是您的用户代理,因此 HTTP 规范要求禁止对具有安全隐患的标头进行修改。
One solution would be to perform an action that allows the server to set the cookie on your XmlHttpRequest object. You say you're already trying to do this but it's not working. I suspect that's because you need to set withCredentials on your ajax request. Add the xhrFields attribute, as follows.
一种解决方案是执行一项操作,允许服务器在您的 XmlHttpRequest 对象上设置 cookie。你说你已经在尝试这样做,但它不起作用。我怀疑这是因为您需要在 ajax 请求中设置 withCredentials。添加 xhrFields 属性,如下所示。
var token;
$.ajax({
url: "https://server.com/AuthService/api/account/login",
crossDomain: true,
xhrFields: {withCredentials: true},
type: 'post',
async: false,
data: {
username: "username",
password: "password"
}
}).done(function(response) {
token = response.securityToken;
success = true;
});
Now as long as the responding server doesn't send a wildcard as its CORS allowed domains (Access-Control-Allow-Origin), you should receive the cookie.
现在只要响应服务器不发送通配符作为其 CORS 允许的域 (Access-Control-Allow-Origin),您就应该收到 cookie。
