场景:
在 xx.com/y.html 代码为:
- <iframe id='ok' name='ok' src='http://zz.com/w.htm?authKey=ertwg'></iframe>
<iframe id='ok' name='ok' src='http://zz.com/w.htm?authKey=ertwg'></iframe>
w.htm 需要根据 authKey 写入 cookie ,授权y.html 嵌入 zz.com 站点的其他页面(例如即时重定向到另一个页面显示写入的 cookie )。
w.htm 内容为:
- if (request.getParameter("authKey") != null) {
- response.addCookie(new Cookie("logined", "ok"));
- response.sendRedirect(request.getContextPath() + request.getServletPath());
- } else {
- Cookie[] cs = request.getCookies();
- if (cs != null) {
- for (Cookie c : cs) {
- if (c.getName().equals("logined")) {
- response.getWriter().println("logined : " + c.getValue());
- }
- }
- }
- }
if (request.getParameter("authKey") != null) {
response.addCookie(new Cookie("logined", "ok"));
response.sendRedirect(request.getContextPath() + request.getServletPath());
} else {
Cookie[] cs = request.getCookies();
if (cs != null) {
for (Cookie c : cs) {
if (c.getName().equals("logined")) {
response.getWriter().println("logined : " + c.getValue());
}
}
}
}
问题 :
但是在 ie6,7 以及 safari 中发现 cookie 并没有被写入,重定向的读页面读不出刚刚设置的cookie。
解决:
涉及到 p3p 简洁策略 的设置以及在 safari 下的特殊处理:
ie6,7
需要在 w.htm 的返回响应中加入 p3p 简明策略响应头:
- // ie need this
- response.addHeader("P3P", "CP=\"CAO PSA OUR\"");
// ie need this
response.addHeader("P3P", "CP=\"CAO PSA OUR\"");
允许在嵌入自己情况下写入cookie。
safari
不能直接通过 iframe.src 来请求第三方页面,需要通过表单 post 提交来允许第三方页面 cookie 写入 :
- S.use("ua,dom", function(S, UA, DOM) {
- var ok = S.get("#ok");
- var action = "http://zz.com/w.htm?authKey=ssdf";
- if (UA.safari) {
- var form = DOM.create("<form " +
- " method='post' " +
- "action='" + action + "'" +
- " target='ok'" +
- " style='position: absolute;left: -9999;top: -9999px'>");
- DOM.append(form,document.body);
- DOM.append(DOM.create("<input name='authKey' value='ssdf'/>"), form);
- form.submit();
- } else {
- ok.src = action;
- }
- });
S.use("ua,dom", function(S, UA, DOM) { var ok = S.get("#ok"); var action = "http://zz.com/w.htm?authKey=ssdf"; if (UA.safari) { var form = DOM.create("<form " + " method='post' " + "action='" + action + "'" + " target='ok'" + " style='position: absolute;left: -9999;top: -9999px'>"); DOM.append(form,document.body); DOM.append(DOM.create("<input name='authKey' value='ssdf'/>"), form); form.submit(); } else { ok.src = action; } });
update 2011-05-26
1.该问题和 iframe 没有关系,只要是当前页面往第三方页面发送 get 请求,该 get 请求无论是通过 iframe发送,还是通过 img.src 或者通过 script.src ,第三方页面都会写不进 cookie.
2.多次重定向以及 https 情景下依然可用。
场景:
http://a.com/demo.html 嵌入 iframe 页面 http://b.com/cookie.htm?set=2
a.com/demo.html :
- <iframe src='http://b.com/cookie.htm?set=2'></iframe>
<iframe src='http://b.com/cookie.htm?set=2'></iframe>
b.com/cookie.htm :
- if (request.getParameter("set") != null) {
- // ie need this
- //response.addHeader("P3P", "CP=\"CAO PSA OUR\"");
- String set = request.getParameter("set");
- if (set.equals("1")) {
- System.out.println(request.getPathInfo());
- response.addCookie(new Cookie("logined", "ok"));
- response.sendRedirect(request.getContextPath() + request.getServletPath());
- } else {
- response.sendRedirect("https://a.com/iframe_post.html");
- }
- } else {
- Cookie[] cs = request.getCookies();
- if (cs != null) {
- for (Cookie c : cs) {
- if (c.getName().equals("logined")) {
- response.getWriter().println("logined : " + c.getValue());
- }
- }
- }
- }
if (request.getParameter("set") != null) {
// ie need this
//response.addHeader("P3P", "CP=\"CAO PSA OUR\"");
String set = request.getParameter("set");
if (set.equals("1")) {
System.out.println(request.getPathInfo());
response.addCookie(new Cookie("logined", "ok"));
response.sendRedirect(request.getContextPath() + request.getServletPath());
} else {
response.sendRedirect("https://a.com/iframe_post.html");
}
} else {
Cookie[] cs = request.getCookies();
if (cs != null) {
for (Cookie c : cs) {
if (c.getName().equals("logined")) {
response.getWriter().println("logined : " + c.getValue());
}
}
}
}
会使得 a.com 中的 iframe 跳转多次,
iframe -> b.com/cookie.htm?set=2 -> https://a.com/iframe_post.htm
a.com/iframe_post.htm 会再次发送请求给 b.com/cookie.htm?set=1 ,这时会设置 cookie:
a.com/iframe_post.htm :
- <meta charset='utf-8'/>
- <script type="text/javascript" src="../../base/javascript/kissy.js"></script>
- <script type="text/javascript">
- KISSY.ready(function(S) {
- S.use("ua,dom", function(S, UA, DOM) {
- var ok = S.get("#ok");
- var action = "https://b.com/cookies?set=1";
- if (UA.safari) {
- var form = DOM.create("<form " +
- " method='post' " +
- "action='" + action + "'" +
- " style='position: absolute;left: -9999;top: -9999px'>");
- DOM.append(form,document.body);
- DOM.append(DOM.create("<input name='set' value='1'/>"), form);
- form.submit();
- } else {
- window.location = action;
- }
- });
- });
- </script>
<meta charset='utf-8'/>
<script type="text/javascript" src="../../base/javascript/kissy.js"></script>
<script type="text/javascript">
KISSY.ready(function(S) {
S.use("ua,dom", function(S, UA, DOM) {
var ok = S.get("#ok");
var action = "https://b.com/cookies?set=1";
if (UA.safari) {
var form = DOM.create("<form " +
" method='post' " +
"action='" + action + "'" +
" style='position: absolute;left: -9999;top: -9999px'>");
DOM.append(form,document.body);
DOM.append(DOM.create("<input name='set' value='1'/>"), form);
form.submit();
} else {
window.location = action;
}
});
});
</script>
关键在于设置 cookie 前的这一请求在 safari 下必须为 post 过去的!即 a.com/iframe_post.html 中的 UA 判断,通过 form 提交使得自身跳转到 b.com/cookie.htm