在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提,在访问b.com域后,设置了a.com域的cookie值。
在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提。
此次来两个不同域名,用IE6测试一下试一下,实践来源:http://blog.163.com/niuzai369@126/blog/static/3743091520122733733736/
它里面的www.a.com就是咱们对应的www.naimanqi.com.cn,而www.b.com则对应www.naimanqi.cn,如下:
cat /data/htdocs/naimanqi.com.cn/a_setcookie.php
<?php setcookie("test", $_GET['id'], time()+3600, "/", ".naimanqi.com.cn"); ?>
cat /data/htdocs/naimanqi.com.cn/a_getcookie.php
<?php var_dump($_COOKIE); ?>
cat /data/htdocs/naimanqi.cn/b_setcookie.php
<script src="http://www.naimanqi.com.cn/a_setcookie.php?id=www.naimanqi.com.cn"></script>
在IE9和FF和Chrome如下:
http://www.naimanqi.cn/b_setcookie.php
http://www.naimanqi.com.cn/a_getcookie.php
array(1) { ["test"]=> string(19) "www.naimanqi.com.cn" }
但是在IE6下就没法输出这个:
array(1) { ["test"]=> string(19) "www.naimanqi.com.cn" }
将http://www.naimanqi.com.cn/a_setcookie.php文件内容改为如下:
<?php
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie("test", $_GET['id'], time()+3600, "/", ".naimanqi.com.cn");
?>
在ie6下访问http://www.naimanqi.cn/b_setcookie.php域后,设置了www.naimanqi.com.cn域的cookie值。
http://www.naimanqi.cn/b_setcookie.php
http://www.naimanqi.com.cn/a_getcookie.php
array(1) { ["test"]=> string(19) "www.naimanqi.com.cn" }
===========================同域名不同二级域名的实践如下=============================
从上面例子可以看出通过发送P3P头信息而实现的跨域。(在Firefox不发送P3P也能跨域成功)IE高版本也是可以的-AddTime:2016-08-16。
实践一下:
1)b.jackxiang.com/test.html
2)a.jackxiang.com/test.php
此时我们请求 http://b.jackxiang.com/test.html , 他包含一个iframe,会去跨域请求 http://a.jackxiang.com/test.php ,该php页面会尝试 set-cookie。
第一次请求, test.php 会 set-cookie,所以浏览器会收到一个cookie。
理论上认为:
如果 set-cookie 成功,再次请求该页面,浏览器应该会 sent 刚才 recieve 到的cookie。
问题出现了:
可是由于前面说的跨域限制,在IE里的iframe标签是 set-cookie不成功的,所以无法sent刚才收到的cookie。 这里无论是 session cookie 还是本地cookie都是一样。(这里说的是第一次是能收到php设置的cookie的,是再次发起请求时,这个cookie没有在http头里,我用IE10好像不存在这个问题。:(难道 是我安全级别设置太低了?NO,是二级域名相同的问题,哈哈)
实际上看到:
可以看到:
第一次访问:b.jackxiang.com/test.html 出现:alert空。
第二次发包,还是没能sent出去cookie,用Httpwatcher抓包发现cookie是空的。
______________________________________
原因是:以 Internet Explorer 为例,默认情况下,IE的隐私策略如下图所设:
请注意其中这一条:阻止保存可用来联系您的信息而没有您的明确同意的第三方Cookie。 //做互联网那帮起草的人为用户安全着想把权限给用户了,我们程序员被困住了,因为需求:如多个站群的登录的简单实现,辨别等所谓跨站跟踪,行为分析啥的又很有必要。
但是这种情况在加入了P3P header 后会改变。
P3P header允许跨域访问隐私数据,从而可以跨域set-cookie成功
我们修改 http://a.jackxiang.com/test.php 为:
再次访问两次上面的测试过程:
可以看到第二个包已经发送出了收到的cookie
而我们写的javascript也能够弹出cookie了。
我修改成:test=jack,再修改再访问,没有被修改,还是jack,果然不会被修改。
值得注意的是,P3P header只需要设置一次,这样跟在这个P3P header后面的所有 set-cookie,都可以跨域访问了。也就是说: 被P3P header设置过一次后,之后的请求不再需要P3P header,也能够在iframe里跨域发送这些cookie。
但是如果用 set-cookie 去改变设置好的cookie,则不再具有这种跨域访问特性。
P3P header 还有一个特点就是同一个包里只能设置一次,后面的P3P Header不会覆盖前面的P3P header,浏览器只认第一个。
用fiddler抓包看下,这个cookie是怎么设置的呢?
去的请求有没有带cookie,显示:
This request did not send any cookie data.
回来的cookie显示(证明是在服务器回来时就设计了,js再读取出来的,达到了一次就读取,其这个给学习带来难度,往往出现感觉这个cookie是在客户端设置的假象,其实是php的header设置后,前端用js去立即读取,这样一个流程情况):
Response sent 80 bytes of Cookie data:
Set-Cookie: test=jack; expires=Sun, 23-Dec-2018 08:13:02 GMT; domain=.a.jackxiang.com; path=/
P3P Header is present:
CP=CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR
!ERROR! P3P Compact Policy string is not properly quoted.
Validate P3P Policies at: http://www.w3.org/P3P/validator.html
Learn more at: http://fiddler2.com/r/?p3pinfo
其本质就是相当于通过b.jackxiang.com这个域名的php脚本给a.jackxiang.com这个域下设置了一个cookie变量,且是合法的一种办法,用Httpwatcher就会看到如下:
test Sent jack / .a.jackxiang.com (Session) No No
test2 Sent jack2 / .a.jackxiang.com (Session) No No
实践来源:http://www.cnblogs.com/ccdc/archive/2012/05/08/2489535.html
————————————————————————————————————————————————————————————————————————
============================之前的参考如下:======================================
P3P 是说,在页面中 iframe 或者 frame 或者 js 时候,IE 会有安全策略限制 这些页面不带cookie 。如果加上P3P 则没有这个限制。
来自:http://hi.baidu.com/houdelei250/blog/item/da1ad135f0c39147251f14bd.html
http://blog.163.com/niuzai369@126/blog/static/3743091520122733733736/
实际工作中,类似这样的要求很多,比如说,我们有两个域名,我们想实现在一个域名登录后,能自动完成另一个域名的登录,也就是PASSPORT的功能。
我只写一个大概,为了测试的方便,先编辑hosts文件,加入测试域名(C:\WINDOWS\system32\drivers\etc\hosts)
127.0.0.1 www.a.com
127.0.0.1 www.b.com
首先:创建 a_setcookie.php 文件,内容如下:
然后:创建 a_getcookie.php 文件,内容如下:
最后:创建 b_setcookie.php 文件,内容如下:
<script src="http://www.a.com/a_setcookie.php?id=www.b.com"></script>
----------------------------
三个文件创建完毕后,我们通过浏览器依次访问:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
我们会发现,在访问b.com域的时候,我们并没有在a.com域设置上cookie值。
然后我们修改一下a_setcookie.php文件,去掉注释符号,a_setcookie.php即为:
再次通过浏览器依次访问:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
这次,你会发现在访问b.com域的时候,我们设置了a.com域的cookie值。
末了补充一句,似乎只有IE对跨域访问COOKIE限制比较严格,上述代码在FIREFOX下测试,即使不发送P3P头信息,也能成功。
==========================================
通过Fiddler可以方便的知道上面P3P代码的含义
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
Validate at: http://www.w3.org/P3P/validator.html
Learn more at: http://www.fiddlertool.com/redir/?id=p3pinfo
参考文档:http://www.w3.org/P3P/
参考:http://www.dup2.org/node/384
在开发中,我们碰到的跨域主要还是纠结在IE,页面中的IFRAME或者FRAME或者JS跨域的时候,IE有安全策略限制页面不带cookie,但是如果我们加上P3P,就没有这策略的限制。这也是P3P来突破跨域的可行前提。
此次来两个不同域名,用IE6测试一下试一下,实践来源:http://blog.163.com/niuzai369@126/blog/static/3743091520122733733736/
它里面的www.a.com就是咱们对应的www.naimanqi.com.cn,而www.b.com则对应www.naimanqi.cn,如下:
cat /data/htdocs/naimanqi.com.cn/a_setcookie.php
<?php setcookie("test", $_GET['id'], time()+3600, "/", ".naimanqi.com.cn"); ?>
cat /data/htdocs/naimanqi.com.cn/a_getcookie.php
<?php var_dump($_COOKIE); ?>
cat /data/htdocs/naimanqi.cn/b_setcookie.php
<script src="http://www.naimanqi.com.cn/a_setcookie.php?id=www.naimanqi.com.cn"></script>
在IE9和FF和Chrome如下:
http://www.naimanqi.cn/b_setcookie.php
http://www.naimanqi.com.cn/a_getcookie.php
array(1) { ["test"]=> string(19) "www.naimanqi.com.cn" }
但是在IE6下就没法输出这个:
array(1) { ["test"]=> string(19) "www.naimanqi.com.cn" }
将http://www.naimanqi.com.cn/a_setcookie.php文件内容改为如下:
<?php
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
setcookie("test", $_GET['id'], time()+3600, "/", ".naimanqi.com.cn");
?>
在ie6下访问http://www.naimanqi.cn/b_setcookie.php域后,设置了www.naimanqi.com.cn域的cookie值。
http://www.naimanqi.cn/b_setcookie.php
http://www.naimanqi.com.cn/a_getcookie.php
array(1) { ["test"]=> string(19) "www.naimanqi.com.cn" }
===========================同域名不同二级域名的实践如下=============================
从上面例子可以看出通过发送P3P头信息而实现的跨域。(在Firefox不发送P3P也能跨域成功)IE高版本也是可以的-AddTime:2016-08-16。
实践一下:
1)b.jackxiang.com/test.html
2)a.jackxiang.com/test.php
此时我们请求 http://b.jackxiang.com/test.html , 他包含一个iframe,会去跨域请求 http://a.jackxiang.com/test.php ,该php页面会尝试 set-cookie。
第一次请求, test.php 会 set-cookie,所以浏览器会收到一个cookie。
理论上认为:
如果 set-cookie 成功,再次请求该页面,浏览器应该会 sent 刚才 recieve 到的cookie。
问题出现了:
可是由于前面说的跨域限制,在IE里的iframe标签是 set-cookie不成功的,所以无法sent刚才收到的cookie。 这里无论是 session cookie 还是本地cookie都是一样。(这里说的是第一次是能收到php设置的cookie的,是再次发起请求时,这个cookie没有在http头里,我用IE10好像不存在这个问题。:(难道 是我安全级别设置太低了?NO,是二级域名相同的问题,哈哈)
实际上看到:
可以看到:
第一次访问:b.jackxiang.com/test.html 出现:alert空。
第二次发包,还是没能sent出去cookie,用Httpwatcher抓包发现cookie是空的。
______________________________________
原因是:以 Internet Explorer 为例,默认情况下,IE的隐私策略如下图所设:
请注意其中这一条:阻止保存可用来联系您的信息而没有您的明确同意的第三方Cookie。 //做互联网那帮起草的人为用户安全着想把权限给用户了,我们程序员被困住了,因为需求:如多个站群的登录的简单实现,辨别等所谓跨站跟踪,行为分析啥的又很有必要。
但是这种情况在加入了P3P header 后会改变。
P3P header允许跨域访问隐私数据,从而可以跨域set-cookie成功
我们修改 http://a.jackxiang.com/test.php 为:
再次访问两次上面的测试过程:
可以看到第二个包已经发送出了收到的cookie
而我们写的javascript也能够弹出cookie了。
我修改成:test=jack,再修改再访问,没有被修改,还是jack,果然不会被修改。
值得注意的是,P3P header只需要设置一次,这样跟在这个P3P header后面的所有 set-cookie,都可以跨域访问了。也就是说: 被P3P header设置过一次后,之后的请求不再需要P3P header,也能够在iframe里跨域发送这些cookie。
但是如果用 set-cookie 去改变设置好的cookie,则不再具有这种跨域访问特性。
P3P header 还有一个特点就是同一个包里只能设置一次,后面的P3P Header不会覆盖前面的P3P header,浏览器只认第一个。
用fiddler抓包看下,这个cookie是怎么设置的呢?
去的请求有没有带cookie,显示:
This request did not send any cookie data.
回来的cookie显示(证明是在服务器回来时就设计了,js再读取出来的,达到了一次就读取,其这个给学习带来难度,往往出现感觉这个cookie是在客户端设置的假象,其实是php的header设置后,前端用js去立即读取,这样一个流程情况):
Response sent 80 bytes of Cookie data:
Set-Cookie: test=jack; expires=Sun, 23-Dec-2018 08:13:02 GMT; domain=.a.jackxiang.com; path=/
P3P Header is present:
CP=CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR
!ERROR! P3P Compact Policy string is not properly quoted.
Validate P3P Policies at: http://www.w3.org/P3P/validator.html
Learn more at: http://fiddler2.com/r/?p3pinfo
其本质就是相当于通过b.jackxiang.com这个域名的php脚本给a.jackxiang.com这个域下设置了一个cookie变量,且是合法的一种办法,用Httpwatcher就会看到如下:
test Sent jack / .a.jackxiang.com (Session) No No
test2 Sent jack2 / .a.jackxiang.com (Session) No No
实践来源:http://www.cnblogs.com/ccdc/archive/2012/05/08/2489535.html
————————————————————————————————————————————————————————————————————————
============================之前的参考如下:======================================
P3P 是说,在页面中 iframe 或者 frame 或者 js 时候,IE 会有安全策略限制 这些页面不带cookie 。如果加上P3P 则没有这个限制。
来自:http://hi.baidu.com/houdelei250/blog/item/da1ad135f0c39147251f14bd.html
http://blog.163.com/niuzai369@126/blog/static/3743091520122733733736/
实际工作中,类似这样的要求很多,比如说,我们有两个域名,我们想实现在一个域名登录后,能自动完成另一个域名的登录,也就是PASSPORT的功能。
我只写一个大概,为了测试的方便,先编辑hosts文件,加入测试域名(C:\WINDOWS\system32\drivers\etc\hosts)
127.0.0.1 www.a.com
127.0.0.1 www.b.com
首先:创建 a_setcookie.php 文件,内容如下:
然后:创建 a_getcookie.php 文件,内容如下:
最后:创建 b_setcookie.php 文件,内容如下:
<script src="http://www.a.com/a_setcookie.php?id=www.b.com"></script>
----------------------------
三个文件创建完毕后,我们通过浏览器依次访问:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
我们会发现,在访问b.com域的时候,我们并没有在a.com域设置上cookie值。
然后我们修改一下a_setcookie.php文件,去掉注释符号,a_setcookie.php即为:
再次通过浏览器依次访问:
http://www.b.com/b_setcookie.php
http://www.a.com/a_getcookie.php
这次,你会发现在访问b.com域的时候,我们设置了a.com域的cookie值。
末了补充一句,似乎只有IE对跨域访问COOKIE限制比较严格,上述代码在FIREFOX下测试,即使不发送P3P头信息,也能成功。
==========================================
通过Fiddler可以方便的知道上面P3P代码的含义
P3P Header is present:
CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Compact Policy token is present. A trailing 'o' means opt-out, a trailing 'i' means opt-in.
CURa
Information is used to complete the activity for which it was provided.
ADMa
Information may be used for the technical support of the Web site and its computer system.
DEVa
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market.
PSAo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals.
PSDo
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals.
OUR
We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.
BUS
Info is retained under a service provider's stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy.
UNI
Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service.
PUR
Information actively generated by the purchase of a product or service, including information about the method of payment.
INT
Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity.
DEM
Data about an individual's characteristics -- such as gender, age, and income.
STA
Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies.
PRE
Data about an individual's likes and dislikes -- such as favorite color or musical tastes.
COM
Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system.
NAV
Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page.
OTC
Other types of data not captured by the above definitions.
NOI
Web Site does not collected identified data.
DSP
The privacy policy contains DISPUTES elements.
COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
Validate at: http://www.w3.org/P3P/validator.html
Learn more at: http://www.fiddlertool.com/redir/?id=p3pinfo
参考文档:http://www.w3.org/P3P/
参考:http://www.dup2.org/node/384
作者:jackxiang@向东博客 专注WEB应用 构架之美 --- 构架之美,在于尽态极妍 | 应用之美,在于药到病除
地址:http://jackxiang.com/post/4478/
版权所有。转载时必须以链接形式注明作者和原始出处及本声明!
最后编辑: jackxiang 编辑于2016-8-16 11:14
评论列表