問題描述
當(dāng)我們需要調(diào)用 Ajax 請(qǐng)求時(shí):
if(typeof XMLHttpRequest !== 'undefined') xhr = new XMLHttpRequest();別的{var 版本 = ["Microsoft.XmlHttp","MSXML2.XmlHttp","MSXML2.XmlHttp.3.0","MSXML2.XmlHttp.4.0",MSXML2.XmlHttp.5.0"];我已經(jīng)知道使用 XMLHttpRequest-2 ,我們可以做一個(gè)跨域請(qǐng)求 AND 添加 ORIGIN 標(biāo)頭.
問題:
什么時(shí)候添加了這個(gè)標(biāo)題?
- 是否在瀏覽器(支持 CORS)執(zhí)行請(qǐng)求時(shí)添加?(跨域還是非跨域?)
- 還是在瀏覽器看到"請(qǐng)求目標(biāo)來源與當(dāng)前來源不同時(shí)自動(dòng)添加...
我的意思是:He** 是什么意思?
<塊引用>跨域 HTTP 請(qǐng)求有一個(gè) Origin 標(biāo)頭.這個(gè)標(biāo)題向服務(wù)器提供請(qǐng)求的來源.這個(gè)標(biāo)題是受瀏覽器保護(hù),不能從應(yīng)用程序代碼中更改.本質(zhì)上,它是找到的原始屬性的網(wǎng)絡(luò)等價(jià)物關(guān)于跨文檔消息傳遞中使用的消息事件.原始標(biāo)頭與較舊的referer [sic] 標(biāo)頭的不同之處在于,referer 是一個(gè)完整的 URL,包括路徑.因?yàn)槁窂娇赡馨舾行畔ⅲ瑸g覽器有時(shí)不會(huì)發(fā)送引用試圖保護(hù)用戶隱私.但是,瀏覽器將始終必要時(shí)發(fā)送所需的 Origin 標(biāo)頭.
Origin標(biāo)頭
<塊引用>何時(shí)添加此標(biāo)頭?
在標(biāo)頭階段,文檔正文發(fā)送之前(open之后,send之前).
它是在瀏覽器(支持 CORS)發(fā)出請(qǐng)求時(shí)添加的嗎?(跨域還是非跨域?)
當(dāng)源與創(chuàng)建XMLHttpRequest的頁面不匹配時(shí)添加,但也可以在同源請(qǐng)求中發(fā)送.
<塊引用>或者當(dāng)瀏覽器看到"請(qǐng)求目標(biāo)來源與當(dāng)前來源不同時(shí)是否自動(dòng)添加...
是的.
<塊引用>但是,瀏覽器總是會(huì)在必要時(shí)發(fā)送所需的 Origin 標(biāo)頭.
這是 XMLHttpRequest 規(guī)范的一部分;如果您正在發(fā)出跨域請(qǐng)求,則會(huì)在請(qǐng)求標(biāo)頭中發(fā)送一個(gè)額外的標(biāo)頭.這個(gè)標(biāo)題是例如來源:http://www.stackoverflow.com,由遵循標(biāo)準(zhǔn)的瀏覽器附加,無需用戶交互.
您可以在 MozillaWiki 的安全部分中閱讀有關(guān)規(guī)范的更多信息,WHATWG 和 html5.組織.它是由(據(jù)我所知)FireFox 和 Google Chrome 實(shí)現(xiàn)的.我不相信它是 W3C 的一部分.此外不要假設(shè)源頭是真實(shí)的,因?yàn)樗梢酝ㄟ^修改后的瀏覽器或其他軟件手動(dòng)設(shè)置.
When we need to invoke an Ajax request we do :
if(typeof XMLHttpRequest !== 'undefined') xhr = new XMLHttpRequest();
else
{
var versions = ["Microsoft.XmlHttp",
"MSXML2.XmlHttp",
"MSXML2.XmlHttp.3.0",
"MSXML2.XmlHttp.4.0",
"MSXML2.XmlHttp.5.0"
];
I already know that using XMLHttpRequest-2 ,we can make a cross origin request AND that the ORIGIN header is added.
Question:
When does this header added ?
- Is it added when a browser (that support CORS) is performing a request ? ( cross domain or non-cross-domain?)
- Or is it added automatically when the browser "sees" that the request target origin is different from the current origin...
I mean : what the He** does the bold line mean ?
Cross-origin HTTP requests have an Origin header. This header provides the server with the request’s origin. This header is protected by the browser and cannot be changed from application code. In essence, it is the network equivalent of the origin property found on message events used in Cross Document Messaging. The origin header differs from the older referer [sic] header in that the referer is a complete URL including the path. Because the path may contain sensitive information, the referer is sometimes not sent by browsers attempting to protect user privacy. However, the browser will always send the required Origin headers when necessary.
The Origin header
When this header is added ?
During the header's stage, before the document's body is sent (after open, before send).
Is it added when a browser (that support CORS) is doing a request ? ( cross domain or non-cross-domain?)
It is added when the origin doesn't match the page from which the XMLHttpRequest is created, but may also be sent in a same-origin request.
Or does it added automatically when the browser "sees" that the request target origin is different from the current origin...
Yes.
However, the browser will always send the required Origin headers when necessary.
This is part of the XMLHttpRequest spec; if you're making a cross-domain request, in the request headers an extra header is sent. This header is e.g. Origin: http://www.stackoverflow.com and is appended by a standards-following browser without user interaction.
You can read more on the specification in MozillaWiki's Security section, WHATWG and html5.org. It is implemented by (that I know of) FireFox and Google Chrome. I don't believe it is part of W3C yet. Further do not assume the origin header is true, as it can be set manually by modified borwsers or other software.
這篇關(guān)于CORS 和 Origin 標(biāo)頭?的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!