javascript 在 Safari 中使用 CORS 的跨域 cookie
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3814375/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross domain cookie using CORS in Safari
提问by Howard
I followed the example: http://arunranga.com/examples/access-control/credentialedRequest.html
我按照这个例子:http: //arunranga.com/examples/access-control/credentialedRequest.html
from this page: http://arunranga.com/examples/access-control/
从这个页面:http: //arunranga.com/examples/access-control/
The example work in Firefox, but not Safari, anyone have tried in implementing CORS cross domain cookie handling, and being success in Safari?
该示例适用于 Firefox,但不适用于 Safari,有人尝试过实现 CORS 跨域 cookie 处理并在 Safari 中取得成功吗?
Thanks.
谢谢。
采纳答案by monsur
This sounds like a Safari bug. I just verified that cross-domain cookies aren't being set in Safari. Cross-domain cookies are working in Chrome, so this may be fixed in WebKit and the latest hasn't made it to Safari yet. I haven't seen a Safari or WebKit bug report about this.
这听起来像是 Safari 的错误。我刚刚确认未在 Safari 中设置跨域 cookie。跨域 cookie 在 Chrome 中工作,所以这可能在 WebKit 中修复,最新的还没有进入 Safari。我还没有看到有关此的 Safari 或 WebKit 错误报告。
回答by 23inhouse
Safari also blocks cookies from sites that haven't been visited directly. You can see in the security settings. It's default setting is Accept cookies: "Only from sites I visit".
Safari 还会阻止来自未直接访问过的站点的 cookie。您可以在安全设置中看到。它的默认设置是接受 cookie:“仅来自我访问的站点”。
This will help get you started. Setting cross-domain cookies in Safari
这将帮助您入门。 在 Safari 中设置跨域 cookie
I have jsonp working in safari using methods in the above link. So assumed that the cookie would work in the CORS context, but at this stage it doesn't seem to be working. Also, changing the security setting seems to have no effect.
我使用上面链接中的方法在 safari 中使用 jsonp。所以假设 cookie 可以在 CORS 上下文中工作,但在这个阶段它似乎不起作用。此外,更改安全设置似乎没有效果。
Safari might demand a stricter set of headers to be returned?
Safari 可能要求返回一组更严格的标头?
回答by Artem Vasiliev
I encountered this with API/UI apps on different subdomains of Heroku, like my-api.herokuapp.com and my-ui.herokuapp.com, session cookie was set for my-api.herokuapp.com. Even visiting my-api.herokuapp.com didn't seem to help Safari in this case with its default 'Only from sites I visit' policy @23inhouse mentioned: http://content.screencast.com/users/artemv/folders/Jing/media/4dfc08d7-0e9c-483f-a272-bbe91549ea95/00000759.png.
我在 Heroku 的不同子域上的 API/UI 应用程序中遇到了这个问题,比如 my-api.herokuapp.com 和 my-ui.herokuapp.com,会话 cookie 是为 my-api.herokuapp.com 设置的。在这种情况下,即使访问 my-api.herokuapp.com 似乎也没有帮助 Safari,因为其默认的“仅来自我访问的网站”政策@23inhouse 提到:http://content.screencast.com/users/artemv/folders/ Jing/media/4dfc08d7-0e9c-483f-a272-bbe91549ea95/00000759.png。
However, Safari worked just fine when we assigned a custom domain to these apps and it became my-api.mydomain.com and my-ui.mydomain.com - so it looks like Safari has particularly low trust to popular hosters' subdomains. No direct visit to my-api.mydomain.com was needed in this case.
然而,当我们为这些应用程序分配一个自定义域时,Safari 工作得很好,它变成了 my-api.mydomain.com 和 my-ui.mydomain.com - 所以看起来 Safari 对流行托管商的子域的信任度特别低。在这种情况下不需要直接访问 my-api.mydomain.com。
