問(wèn)題描述

我有一個(gè)項(xiàng)目，我正在嘗試從數(shù)據(jù)處理程序以制表符分隔值格式下載一些數(shù)據(jù)，但是，Google Chrome 正在為 Origin 標(biāo)頭值發(fā)送空值.

I have a project where I am trying download some data in a tab separated value format from a datahandler however, Google Chrome is sending a null value for the Origin header value.

當(dāng)我導(dǎo)航到 http://server.corp.somebiz.com/reportpages/Report_Page_Requests_Over_Time.aspx?app=76ac42b7-ba6f-4be4-b297-758ebc9fe615

var url = 'http://server.corp.somebiz.com/DataHandlers/ReportSets.ashx?task=pagerequestsovertime&app=188d1956-c4a7-42f7-9bdd-38f54c14e125&format=tsv';

d3.tsv(url, function(d) {
  d.date = parseTime(d.date);
  d.close = +d.close;
  return d;
}, function(error, data) {
  if (error) throw error;

  console.log('Do stuff');
});

以下是請(qǐng)求的原始標(biāo)頭:

Here are the raw headers on the request:

GET /DataHandlers/ReportSets.ashx?task=pagerequestsovertime&app=786b5ef3-1389-4890-8004-533fd1f66f16&format=tsv HTTP/1.1
Host: server.corp.somebiz.com
Connection: keep-alive
accept: text/tab-separated-values,*/*
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

這以控制臺(tái)上的錯(cuò)誤結(jié)束:

This ends with an error on the console:

XMLHttpRequest cannot load http://server.corp.somebiz.com/DataHandlers/ReportSets.ashx?task=pagere…6ac42b7-ba6f-4be4-b297-758ebc9fe615&start=2/1/2017&end=3/2/2017&format=tsv. The 'Access-Control-Allow-Origin' header has a value 'http://server.corp.somebiz.com' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access.

我不僅要查找為什么會(huì)發(fā)生這種情況，還要查找導(dǎo)致 Chrome 向服務(wù)器發(fā)送空 Origin 標(biāo)頭的條件.

Not only am I looking for the why is this happening, what the conditions are that leads to Chrome sending a null Origin header to the server.

這似乎是 Chrome 特有的問(wèn)題，因?yàn)?Internet Explorer 11 正在向服務(wù)器發(fā)送正確的 Origin 值.

This seems to be a Chrome specific issue as Internet Explorer 11 is sending the proper Origin value to the server.

更新:添加另一個(gè)皺紋，這可能是也可能不是促成因素.

Update: To add another wrinkle, that may or may not be a contributing factor.

我在 <iframe> 元素中加載調(diào)用頁(yè)面以隔離腳本化元素.在 iframe 之外調(diào)用頁(yè)面會(huì)導(dǎo)致不同的行為，Chrome 上的 Origin 標(biāo)頭完全丟失.

I load the calling page in an <iframe> element to isolate scripted elements. Calling the page outside of the iframe causes a different behavior, the Origin header on Chrome is missing entirely.

推薦答案

如果你加載調(diào)用頁(yè)面的 iframe 有一個(gè) sandbox 屬性不包含值 allow-same-origin, 瀏覽器給它一個(gè)唯一"的來(lái)源:

If the iframe you’re loading the calling page in has a sandbox attribute that doesn’t contain the value allow-same-origin, browsers give it a "unique" origin:

當(dāng)設(shè)置 [sandbox] 屬性時(shí)，內(nèi)容被視為來(lái)自唯一來(lái)源，禁用表單、腳本和各種可能令人討厭的 API，阻止鏈接針對(duì)其他瀏覽上下文，并且插件是安全的.allow-same-origin 關(guān)鍵字導(dǎo)致內(nèi)容被視為來(lái)自其真實(shí)來(lái)源，而不是強(qiáng)制它成為唯一來(lái)源

When the [sandbox] attribute is set, the content is treated as being from a unique origin, forms, scripts, and various potentially annoying APIs are disabled, links are prevented from targeting other browsing contexts, and plugins are secured. The allow-same-origin keyword causes the content to be treated as being from its real origin instead of forcing it into a unique origin

...當(dāng)確定要在跨域請(qǐng)求中發(fā)送的 Origin 標(biāo)頭的值時(shí)，瀏覽器將任何唯一的來(lái)源序列化為 null 并給出 Origin 標(biāo)頭該值.

…and when determining the value of the Origin header to send in a cross-origin request, browsers serialize any unique origin as null and give the Origin header that value.

這篇關(guān)于從 <iframe> 發(fā)出的 XHR 請(qǐng)求的 Origin 標(biāo)頭為空帶沙盒屬性的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！