摘要:如何利用實現跨域在開發中,我們碰到的跨域主要還是糾結在,頁面中的或者或者跨域的時候,有安全策略限制頁面不帶,但是如果我們加上,就沒有這策略的限制。這也是來突破跨域的可行前提。從上面例子可以看出通過發送頭信息而實現的跨域。
P3P是什么 P3P
Platform for Privacy Preferences, 是W3C公布的一項隱私保護推薦標準,以為用戶提供隱私保護。
P3P標準的構想是:Web 站點的隱私策略應該告之訪問者該站點所收集的信息類型、信息將提供給哪些人、信息將被保留多少時間及其使用信息的方式,如站點應做諸如 “本網站將監測您所訪問的頁面以提高站點的使用率”或“本網站將盡可能為您提供更合適的廣告”等申明。訪問支持P3P網站的用戶有權查看站點隱私報告,然后決定是否接受cookie 或是否使用該網站。
如何利用P3P實現跨域在開發中,我們碰到的跨域主要還是糾結在IE,頁面中的IFRAME或者FRAME或者JS跨域的時候,IE有安全策略限制頁面不帶cookie,但是如果我們加上P3P,就沒有這策略的限制。這也是P3P來突破跨域的可行前提。
例子: vist: http://www.first.com/vist.htmlhttp://www.second.com/p3p.php http://www.second.com/getp3p.php 通過瀏覽器訪問:Title
http://www.first.com/vist.html
http://www.second.com/getp3p.php
http://www.second.com/p3p.php 增加P3P頭部信息: 再次通過瀏覽器訪問:我們發現訪問first.com/vist.html后,我們并沒有在second.com域發現設置上cookie值。
http://www.first.com/vist.html
http://www.second.com/getp3p.php
在訪問second.com域后,設置了first.com域的cookie值。
從上面例子可以看出通過發送P3P頭信息而實現的跨域。(在Firefox不發送P3P也能跨域成功)
header("P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"");
JS使用P3P協議xmlhttp.setRequestHeader("P3P" ,"CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"");
P3P的頭部參數解釋P3P Header is present: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Compact Policy token is present. A trailing "o" means opt-out, a trailing "i" means opt-in. CURa Information is used to complete the activity for which it was provided. ADMa Information may be used for the technical support of the Web site and its computer system. DEVa Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. PSAo Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. PSDo Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. OUR We share information with ourselves and/or entities acting as our agents or entities for whom we are acting as an agent. BUS Info is retained under a service provider"s stated business practices. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site"s human-readable privacy policy. UNI Non-financial identifiers, excluding government-issued identifiers, issued for purposes of consistently identifying or recognizing the individual. These include identifiers issued by a Web site or service. PUR Information actively generated by the purchase of a product or service, including information about the method of payment. INT Data actively generated from or reflecting explicit interactions with a service provider through its site -- such as queries to a search engine, or logs of account activity. DEM Data about an individual"s characteristics -- such as gender, age, and income. STA Mechanisms for maintaining a stateful session with a user or automatically recognizing users who have visited a particular site or accessed particular content previously -- such as HTTP cookies. PRE Data about an individual"s likes and dislikes -- such as favorite color or musical tastes. COM Information about the computer system that the individual is using to access the network -- such as the IP number, domain name, browser type or operating system. NAV Data passively generated by browsing the Web site -- such as which pages are visited, and how long users stay on each page. OTC Other types of data not captured by the above definitions. NOI Web Site does not collected identified data. DSP The privacy policy contains DISPUTES elements. COR Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.
這里說的跨域主要是設置cookie的情況,如果是跨域讀取cookie,要保證在對應設置cookie的時候設置了P3P,否則在讀取的事情IE會屏蔽跨域cookie。
文章版權歸作者所有,未經允許請勿轉載,若此文章存在違規行為,您可以聯系管理員刪除。
轉載請注明本文地址:http://specialneedsforspecialkids.com/yun/26069.html
摘要:規定的服務器路徑。的工作原理當一個第一次被啟用時,一個唯一的標識被存儲于本地的中。利用解決單點登陸跨域問題是公布的一項隱私保護推薦標準,以為用戶提供隱私保護。 這段時間在看一些關于SSO單點登錄的問題,寫下一些記錄和一些基礎知識的儲備。 cookie Cookie是由服務器端生成,發送給User-Agent(一般是瀏覽器),瀏覽器會將Cookie的key/value保存到某個...
摘要:可是,我們的域名有這三個域名僅僅是不同的環境,因此,的跨域名訪問就引出來了。無論是一二級域名,和不同域名下的跨域,無非要達到兩點客戶端訪問同一個所有域名對應的服務器訪問的的數據的位置必須一致。 關閉httponly引起的問題 場景1: 測試A:咦,為什么test環境登錄不了呢? 程序員:清緩存。 測試B:握草,dev也登錄不了。。。誰看看! 程序員:清緩存。 測試們:。。。唉 場景...
摘要:好啦,再次大功告成。由萬維網協會研制,它為用戶提供了對自己公開信息的更多的控制。支持的站點可以為瀏覽者聲明他們的隱私策略。果然在瀏覽器中打開設置隱私阻止永不,打開上述設置之后,跨域種瞬間成功。 前段時間開發了一個用戶登錄的模塊,需求很簡單,用戶輸入手機號和驗證碼,我們就會返回給用戶一套身份信息并保存在cookie里面。so easy,于是就有以下代碼: // 大致意思如下,并非真實模塊...
摘要:凡事有例外,以下分別對待不同情況服務器端配置即可客戶端配置,這樣大部分瀏覽器都支持跨域了,反正新版本下無問題。但放在默認設置下依然出現無法獲取的問題,至此,查資料查到解決存取的跨域問題,依照文中記載,在追加的響應頭,解決了下的問題。 一般在生產環境下盡量可以通過nginx等反向代理,把vue前端和api接口處理成同一端口和域名。 在開發和測試時,也可以使用兼容性比較好的瀏覽器進行。 凡...
閱讀 2142·2023-04-26 00:00
閱讀 3239·2021-09-24 10:37
閱讀 3528·2021-09-07 09:58
閱讀 1517·2019-08-30 15:56
閱讀 2217·2019-08-30 13:11
閱讀 2311·2019-08-29 16:38
閱讀 959·2019-08-29 12:58
閱讀 1876·2019-08-27 10:54