duanmin0941 2015-11-06 20:58
浏览 167
已采纳

IE11停止接受跨域Cookie策略

I just noticed an odd cookie policy problem that only affects IE. I could only test on IE11. Perhaps you know a workaround?

Step 1. This requires 2 domains. We'll call them cart.com and tracking.com.

Step 2. Using IE11, browse over to https://tracking.com/index.php and it should contain this:

<?php

setcookie('track_test', 'mytest', time()+60*60*24*365, '/', '.tracking.com');
?>
<p>COOKIE SET</p>
<p><a href="https://cart.com/purchase.php">Buy Now</a></p>

Step 3. Click the Buy Now in https://tracking.com/index.php and it should take you to https://cart.com/purchase.php, which should contain this:

// ABOVE THIS LOOKS LIKE AN ORDINARY HTML5 PAGE THAT LOADS jQuery.
<script type="text/javascript">
$(document).ready(function(){

  $('BODY').append('<img alt="" width="1" height="1" src="https://tracking.com/pixel.php" />');

});
</script>

Step 4. So, viewing purchase.php should fire https://tracking.com/pixel.php, which looks like so:

<?php
file_put_contents('output.txt',var_export($_COOKIE,TRUE),FILE_APPEND);
// RETURN FAKE IMAGE RESULT
header('Content-type: image/gif');
header('p3p:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
die(base64_decode('R0lGODlhAQABAJAAAP8AAAAAACH5BAUQAAAALAAAAAABAAEAAAICBAEAOw=='));

Step 5. Now, view your output.txt on the tracking.com server. You'll find it empty. That's the problem -- it can't read the cookies. There's a cookie policy restriction, even though I have sent the proper "ignore all that, my friend" cookie header.

Now, repeat the process with Chrome and Firefox -- no issues.

Okay, so, if you go back and switch the pixel from Javascript to purely HTML to call that pixel, it won't work that way either. But if you call the pixel manually in the URL of your browser, it works just fine from IE. Our tracking used to work, so I believe this problem just occurred with IE11.

But here's my conundrum -- I'm working with a third-party, and they are passing some extra things to my pixel script like order total and order transaction ID via query parameters on the end of the pixel script URL, and those are only available to my script via Javascript. That's why I can't use the HTML technique to load that pixel script -- but must inject it at runtime using jQuery (or Javascript) in order to get that order total and order transaction ID.

  • 写回答

1条回答 默认 最新

  • douji2520 2015-11-06 22:35
    关注

    The answer is simple -- this no longer works in IE, starting with IE11. One will have to pass parameters a different way through their shopping cart in order for the receipt/thankyou page to post those parameters back properly without having cookies to be read on the receiving pixel script.

    Microsoft posted information about this on their website:

    https://msdn.microsoft.com/en-us/library/mt146424(v=vs.85).aspx

    "Recommended practice is to avoid deploying P3P privacy policies on your site."

    So, if you use a fake GIF in a script with a P3P header to access a cookie set previously on the tracking domain -- it's now broken in IE11 and Microsoft doesn't care to post why or to offer another solution. There are many web advertising tracking platforms out there that rely on this, and Microsoft just broke them.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 x趋于0时tanx-sinx极限可以拆开算吗
  • ¥500 把面具戴到人脸上,请大家贡献智慧
  • ¥15 任意一个散点图自己下载其js脚本文件并做成独立的案例页面,不要作在线的,要离线状态。
  • ¥15 各位 帮我看看如何写代码,打出来的图形要和如下图呈现的一样,急
  • ¥30 c#打开word开启修订并实时显示批注
  • ¥15 如何解决ldsc的这条报错/index error
  • ¥15 VS2022+WDK驱动开发环境
  • ¥30 关于#java#的问题,请各位专家解答!
  • ¥30 vue+element根据数据循环生成多个table,如何实现最后一列 平均分合并
  • ¥20 pcf8563时钟芯片不启振