duanmin0941 2015-11-06 20:58
浏览 167
已采纳

IE11停止接受跨域Cookie策略

I just noticed an odd cookie policy problem that only affects IE. I could only test on IE11. Perhaps you know a workaround?

Step 1. This requires 2 domains. We'll call them cart.com and tracking.com.

Step 2. Using IE11, browse over to https://tracking.com/index.php and it should contain this:

<?php

setcookie('track_test', 'mytest', time()+60*60*24*365, '/', '.tracking.com');
?>
<p>COOKIE SET</p>
<p><a href="https://cart.com/purchase.php">Buy Now</a></p>

Step 3. Click the Buy Now in https://tracking.com/index.php and it should take you to https://cart.com/purchase.php, which should contain this:

// ABOVE THIS LOOKS LIKE AN ORDINARY HTML5 PAGE THAT LOADS jQuery.
<script type="text/javascript">
$(document).ready(function(){

  $('BODY').append('<img alt="" width="1" height="1" src="https://tracking.com/pixel.php" />');

});
</script>

Step 4. So, viewing purchase.php should fire https://tracking.com/pixel.php, which looks like so:

<?php
file_put_contents('output.txt',var_export($_COOKIE,TRUE),FILE_APPEND);
// RETURN FAKE IMAGE RESULT
header('Content-type: image/gif');
header('p3p:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
die(base64_decode('R0lGODlhAQABAJAAAP8AAAAAACH5BAUQAAAALAAAAAABAAEAAAICBAEAOw=='));

Step 5. Now, view your output.txt on the tracking.com server. You'll find it empty. That's the problem -- it can't read the cookies. There's a cookie policy restriction, even though I have sent the proper "ignore all that, my friend" cookie header.

Now, repeat the process with Chrome and Firefox -- no issues.

Okay, so, if you go back and switch the pixel from Javascript to purely HTML to call that pixel, it won't work that way either. But if you call the pixel manually in the URL of your browser, it works just fine from IE. Our tracking used to work, so I believe this problem just occurred with IE11.

But here's my conundrum -- I'm working with a third-party, and they are passing some extra things to my pixel script like order total and order transaction ID via query parameters on the end of the pixel script URL, and those are only available to my script via Javascript. That's why I can't use the HTML technique to load that pixel script -- but must inject it at runtime using jQuery (or Javascript) in order to get that order total and order transaction ID.

  • 写回答

1条回答 默认 最新

  • douji2520 2015-11-06 22:35
    关注

    The answer is simple -- this no longer works in IE, starting with IE11. One will have to pass parameters a different way through their shopping cart in order for the receipt/thankyou page to post those parameters back properly without having cookies to be read on the receiving pixel script.

    Microsoft posted information about this on their website:

    https://msdn.microsoft.com/en-us/library/mt146424(v=vs.85).aspx

    "Recommended practice is to avoid deploying P3P privacy policies on your site."

    So, if you use a fake GIF in a script with a P3P header to access a cookie set previously on the tracking domain -- it's now broken in IE11 and Microsoft doesn't care to post why or to offer another solution. There are many web advertising tracking platforms out there that rely on this, and Microsoft just broke them.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)