【1】iframe跨域,涉及cookie、session携带问题
问题场景:
A网站使用iframe嵌入B网站,并且传递登录信息到B网站,实现嵌入B网站后B网站自动登录,B网站无法保持会话信息导致无法登录
问题原因:
1.集成iframe时,没有声明双方安全协议(tomcat禁用了origin,请求头没有申明p3p)
2.参数传递正常,B页面嵌入后,第一次登录失败,在嵌入后的B页面中输入登录信息可以登录,可以保存session信息
原因:暂未找出...
解决:修改登录鉴权方式使用get,将A页面传递的登录信息传入B的中间层jsp,再直接提交请求给B的登录方法(保护好自己的登录信息)
A网站携带post参数请求B网站鉴权接口:如下请求头
响应头信息原始头信息
Access-Control-Allow-Head... origin, x-csrftoken, content-type, accept, cookie, set-cookie
Access-Control-Allow-Orig... *
Access-Control-Max-Age 1000
Content-Length 1572
Content-Type text/html;charset=UTF-8
Date Sun, 30 Jun 2013 08:41:07 GMT
P3P CP=CAO PSA OUR
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=732B2D9FD65197CBC2EC9681409F21AE; Path=/xx/; HttpOnly
请求头信息原始头信息
Accept application/json, text/plain, */*
Accept-Encoding gzip, deflate
Accept-Language en,zh-cn;q=0.8,ar-sa;q=0.5,en-us;q=0.3
Cache-Control no-cache
Connection keep-alive
Content-Length 108
Content-Type text/xml; charset=UTF-8
Host www.xx.com
Origin http://111.111.111.111
Pragma no-cache
Referer http://111.111.111.111/xx?t=2
User-Agent Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0
B页面需要设置请求头信息:
方法如下:
web.xml中添加过滤器
<filter>
<filter-name>P3P Security Filter</filter-name>
<filter-class>
filter.P3PSecurityFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>P3P Security Filter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
过滤器中添加请求头参数:
/**
* 增加了P3P的头声明.
* @param req
* @param rsp
* @param chain
* @throws IOException
* @throws ServletException
*/
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain chain) throws IOException, ServletException
{
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("P3P", "CP=CAO PSA OUR");
// response.setHeader("X-Frame-Options", "SAMEORIGIN");
// response.setHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'");
// response.setHeader("P3P","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
// response.setHeader("P3P" , "CP=\"CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR\"" );
// response.setHeader("Access-Control-Allow-Methods","POST, GET, OPTIONS");
response.setHeader("Access-Control-Max-Age","1000");
response.setHeader("Access-Control-Allow-Headers","origin, x-csrftoken, content-type, accept, cookie, set-cookie");
chain.doFilter(servletRequest, servletResponse);
}
【2】iframe跨域,设置父类样式
网上的实例很多
可参考,大致思路:A页面嵌入B页面,B页面嵌入一个隐藏的C页面(与A同域),B页面将本页的高度与宽度传递给C页面,C页面设置A页面的属性