問題描述
我想我誤解了使用 xmlhttprequest 管理 cookie.我有一個響應(yīng) XMLHttpRequest 用 javascript 制作的服務(wù)器,我的服務(wù)器返回 Allow-Control-Access-Origin, Access-Control-Allow-Headers、Access-Control-Expose-Headers 和 Access-Control-Allow-Credentials 標頭的值正確.
i think i misunderstood the management of cookies with xmlhttprequest. I have a server that response to the XMLHttpRequest made in javascript, my server returns Allow-Control-Access-Origin, Access-Control-Allow-Headers, Access-Control-Expose-Headers and Access-Control-Allow-Credentials headers with the correct value.
我正在使用 javascript 在服務(wù)器中進行 Digest Authenticate,沒問題,我從服務(wù)器接收到 WWW-Authenticate 標頭,我處理并向服務(wù)器發(fā)送 Authorization 標頭所有的摘要響應(yīng),一切正常.問題是,當摘要挑戰(zhàn)成功時,我的服務(wù)器返回一個 Set-Cookie 標頭,我必須獲取它并添加到我所有 xhr 請求的其余部分.瀏覽器(使用 Chromium 和 Chrome)不允許我訪問標題:
I'm doing a Digest Authenticate in a server with javascript, no problem in that, i receive ok the WWW-Authenticate header from server, i process and send to the server the Authorization header with all the digest-response and everything ok.
The problem is, that when the digest-challenge is succesful, my server returns a Set-Cookie Header, i have to get it and add to the rest of all of my xhr request.
The browser (using Chromium and Chrome) not let me access to the header doing:
xhr.getResponseHeader("Set-Cookie");
好的,在 XMLHTTPREQUEST Level 2 中它說:從響應(yīng)中返回所有標頭, 字段名稱為 Set-Cookie 或 Set-Cookie2 的除外"好的,所以我不能接受,但是有什么方法?將 Chrome Api 用于 cookie(目前我沒有讀到關(guān)于它的注意事項),但我想盡可能采用標準方式.與:
Ok, in the XMLHTTPREQUEST Level 2 it says: "Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2" Ok, so i cant take it, but what are the ways? Using the Chrome Api for cookies (at the moment i dont read noting about it), but i want to do for a standard manner as posible. With the:
xhr.withCredentials = true;
表示瀏覽器自動獲取set-cookie并發(fā)送cookie headers??
means that the browser automatically get the set-cookie and send in cookie headers??
推薦答案
來自 CORS 規(guī)范 http://www.w3.org/TR/cors/#make-a-request-steps:
From CORS spec http://www.w3.org/TR/cors/#make-a-request-steps:
每當應(yīng)用發(fā)出請求的步驟時,從原始來源中獲取請求 URL,并設(shè)置手動重定向標志,如果設(shè)置了省略憑據(jù)標志,則設(shè)置阻止 cookie 標志.使用方法請求方法,實體主體請求實體主體,包括作者請求標頭,如果未設(shè)置省略憑據(jù)標志,則包括用戶憑據(jù).如果源源是全局唯一標識符,則排除 Referer 標頭.
Whenever the make a request steps are applied, fetch the request URL from origin source origin with the manual redirect flag set, and the block cookies flag set if the omit credentials flag is set. Use method request method, entity body request entity body, including the author request headers, and include user credentials if the omit credentials flag is unset. Exclude the Referer header if source origin is a globally unique identifier.
正如您所說 - 如果您使用 withCredentials,瀏覽器會添加 cookie.
As you correctly says - cookies are added by browser if you use withCredentials.
這篇關(guān)于xmlhttprequest 和 set-cookie &曲奇餅的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!