問題描述

我正在嘗試實現簡單的 xhr 抽象，并在嘗試為 POST 設置標頭時收到此警告.我認為這可能與在單獨的 js 文件中設置標題有關，因為當我在 .html 文件的 <script> 標記中設置它們時，它工作正常.POST 請求工作正常，但我收到此警告，我很好奇為什么.對于 content-length 和 connection 標頭，我都會收到此警告，但僅限于 WebKit 瀏覽器(Chrome 5 beta 和 Safari 4).在 Firefox 中，我沒有收到任何警告，Content-Length 標頭設置為正確的值，但 Connection 設置為 keep-alive 而不是 close，這讓我認為它也忽略了我的 setRequestHeader 調用并生成它自己的.我沒有在 IE 中嘗試過這段代碼.這是標記和代碼:

I am trying to implement simple xhr abstraction, and am getting this warning when trying to set the headers for a POST. I think it might have something to do with setting the headers in a separate js file, because when i set them in the <script> tag in the .html file, it worked fine. The POST request is working fine, but I get this warning, and am curious why. I get this warning for both content-length and connection headers, but only in WebKit browsers (Chrome 5 beta and Safari 4). In Firefox, I don't get any warnings, the Content-Length header is set to the correct value, but the Connection is set to keep-alive instead of close, which makes me think that it is also ignoring my setRequestHeader calls and generating it's own. I have not tried this code in IE. Here is the markup & code:

test.html:

<!DOCTYPE html>
<html>
    <head>
        <script src="jsfile.js"></script>
        <script>
            var request = new Xhr('POST', 'script.php', true, 'data=somedata',  function(data) { 
                console.log(data.text); 
            });
        </script>
    </head>
    <body>
    </body>
</html>

jsfile.js:

function Xhr(method, url, async, data, callback) {
    var x;
    if(window.XMLHttpRequest) {
        x = new XMLHttpRequest();

        x.open(method, url, async);

        x.onreadystatechange = function() {
            if(x.readyState === 4) {
                if(x.status === 200) {
                    var data = {
                        text: x.responseText,
                        xml: x.responseXML
                    };
                    callback.call(this, data);
                }
            }
        }

        if(method.toLowerCase() === "post") {
            x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
            x.setRequestHeader("Content-Length", data.length);
            x.setRequestHeader("Connection", "close");
        }

        x.send(data);
    } else {
        // ... implement IE code here ...
    }
    return x;
}

推薦答案

它也忽略了我的 setRequestHeader 調用并生成它自己的

it is also ignoring my setRequestHeader calls and generating its own

是的，標準說它必須:

出于安全原因，如果標題為 [...]，則應終止這些步驟

For security reasons, these steps should be terminated if header is [...]

• 連接
• 內容長度

搞砸這些可能會暴露各種請求走私攻擊，所以瀏覽器總是使用自己的價值觀.沒有必要也沒有理由嘗試設置請求長度，因為瀏覽器可以根據您傳遞給 send() 的數據長度準確地做到這一點.

Messing around with those could expose various request smuggling attacks, so the browser always uses its own values. There's no need or reason to try to set the request length, as the browser can do that accurately from the length of data you pass to send().

這篇關于WebKit “拒絕設置不安全的標頭‘內容長度’"的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！