Javascript 从不同的域读取 cookie
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36318866/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Reading a cookie from a different domain
提问by Reverend Bubbles
I'm developing a page/form for a campaign inside my company. However, the first step is to check if the person is logged in. This is easily checked against a cookie - CUSTOMER - that is set once they're logged in.
我正在为公司内部的活动开发页面/表单。但是,第一步是检查此人是否已登录。这很容易根据 cookie - CUSTOMER 进行检查,该 cookie 在他们登录后设置。
However: 1) I'm developing locally, not on the same domain, and, as a result can't see that cookie 2) The final campaign may or may not end up residing on the actual domain. They may end up using a vanity URL or something.
但是:1) 我在本地开发,而不是在同一个域上,因此看不到那个 cookie 2) 最终的活动可能会也可能不会驻留在实际域中。他们最终可能会使用虚 URL 或其他东西。
For purposes of this, let's assume I do NOT have access to the main domain where the cookie was set.
为此,我们假设我无权访问设置 cookie 的主域。
How can I read that cookie from off the domain? Oh, and since IT folks don't let us touch the back-end grumble, it has to be a JS solution.
如何从域外读取该 cookie?哦,既然 IT 人员不让我们触及后端抱怨,它必须是一个 JS 解决方案。
Thanks!
谢谢!
回答by Quentin
You can't.
你不能。
The only cookies you can read with client side JavaScript are those belonging to the host of the HTML document in which the <script>is embedded.
您可以使用客户端 JavaScript 读取的唯一 cookie 是那些属于其中<script>嵌入的 HTML 文档的主机的 cookie 。
By setting withCredentialsyou can support cookies in cross-origin requests, but they are handled transparently by the browser and JS has no direct access to them (the XHR spec goes to far as to explicitly ban getAllResponseHeadersfrom reading cookie related headers). The only way for a cross-origin request to get access to cookies is for the server (which you say you don't have access to) to copy the data into the body or a different response header).
通过设置,withCredentials您可以在跨域请求中支持 cookie,但它们由浏览器透明处理,JS 无法直接访问它们(XHR 规范甚至明确禁止getAllResponseHeaders读取与 cookie 相关的标头)。跨域请求访问 cookie 的唯一方法是让服务器(您说您无权访问)将数据复制到正文或不同的响应标头中)。
回答by quazardous
You can if you can install server side components.
如果可以安装服务器端组件,则可以。
You can use a dedicated domain to host your cookie and then share it using XSS technics
您可以使用专用域来托管您的 cookie,然后使用 XSS 技术共享它
When dom1.foo.com logs in then you register a cookie on cookie.foo.com using an Ajax XSS call then when you go on dom2.foo.com you have to query cookie.foo.com with your XSS api
当 dom1.foo.com 登录时,您使用 Ajax XSS 调用在 cookie.foo.com 上注册一个 cookie,然后当您访问 dom2.foo.com 时,您必须使用您的 XSS api 查询 cookie.foo.com
I' ve played with it some time ago https://github.com/quazardous/mudoco/blob/master/mudoco/README.txtIt's just some sort of POC..
我前段时间玩过它 https://github.com/quazardous/mudoco/blob/master/mudoco/README.txt这只是某种 POC ..
回答by Kamarey
Think you can do it by embedding an iframe into your page with src pointing to the domain "with cookie". Say http://cookiedomain.com/some.html. Some.html page will run javascript that access the cookie and set some global variable
认为您可以通过将 iframe 嵌入到您的页面中来实现,其中 src 指向“带有 cookie”的域。说http://cookiedomain.com/some.html。Some.html 页面将运行访问 cookie 的 javascript 并设置一些全局变量
