Facebook如何在画布页面上为iFrames设置跨域Cookie?
我正在浏览Facebook关于画布应用程序的文档,我遇到了一个示例应用程序: http: /developers.facebook.com/docs/samples/canvas 。然而,当我阅读他们的例子时,我非常困惑他们在iframe应用程序中使用cookies。
I was browsing Facebook's documentation reading about canvas applications and I came across an example application: http://developers.facebook.com/docs/samples/canvas. As I read through their example, however, I got very confused about their use of cookies in the iframe application.
有一点后台...
我已经使用iframe来嵌入嵌入式小部件(与Facebook无关),我发现几个浏览器(Chrome,Safari等)都有严格的cookie策略,不允许交叉在iframe中设置的域名Cookie(Firefox,另一方面,允许iframe在iframe中设置跨域Cookie)。例如,如果foo.com有一个iframe与 src =http://bar.com/widget,iframe小部件将无法设置任何cookie .com,因此在iframe中会持续存在状态:bar.com会将每个请求(包括ajax请求)从窗口小部件中解释为新请求,而无需建立会话。我挣扎着,通过使用JSONP和javascript来为foo.com设置cookie来找到一个方法...
I had already played around with using iframes for embeddable widgets (unrelated to Facebook) and I found out a few browsers (Chrome, Safari, etc.) have strict cookie policies and don't allow cross-domain cookies set in iframes (Firefox, on the other hand, allows iframes to set cross-domain cookies in iframes). For example, if foo.com has an iframe with src="http://bar.com/widget" the iframe widget will not be able to set any cookies for bar.com and therefore will have trouble persisting state within the iframe: bar.com will interpret every request (including ajax requests) from the widget as a fresh request without an established session. I struggled, and found a way around this by using JSONP and javascript to set cookies for foo.com instead...
...等等?
嗯,我正在看iframe Facebook应用程序的示例画布,我注意到他们的应用程序(托管在runwithfriends.appspot.com)上可以设置一个cookie, u ,使用当前用户的id以及runwithfriends.appspot.com域的其他一些参数。它发送这个cookie的每个请求...它可以在Chrome和Firefox! WTF? Facebook如何绕过Chrome上的跨域Cookie限制?
Well, I was looking at the example canvas iframe Facebook application and I noticed that their application (hosted on runwithfriends.appspot.com) is able to set a cookie, u, with the current user's id along with a few other parameters for the runwithfriends.appspot.com domain. It sends this cookie with every request... and it works in both Chrome and Firefox! WTF? How does Facebook get around the cross-domain cookie restrictions on Chrome?
(我已经知道答案了,但我认为这可能有助于任何人努力弄清楚同样的事情 - 我会在下面发布答案。)
(I already know the answer now, but I thought this might be helpful for anyone struggling to figure out the same thing -- I'll post the answer below.)
所以iFrame实际上并没有设置 u 用于runwithfriends.appspot.com域的cookie。 Facebook的做法是创建一个表单,< form action =runwithfriends.appspot.com / ...target =name_of_iframemethod =POST> 并使用javascript在页面加载时提交表单。因为窗体的目标是iframe,它不会重新加载页面...它只是加载iframe与POST的响应。显然,即使是Chrome和其他具有严格Cookie策略的浏览器,如果是POST请求,则会设置跨域请求的Cookie ...
So the iFrame isn't actually setting the u cookie for the runwithfriends.appspot.com domain. What Facebook does is it creates a form, <form action="runwithfriends.appspot.com/..." target="name_of_iframe" method="POST"> and uses javascript to submit the form on page load. Since the form's target is the iframe, it doesn't reload the page... it just loads the iframe with the POST's response. Apparently even Chrome and other browsers with strict cookie policies set cookies for cross domain requests if they are POST requests...