Javascript XMLHttpRequest 的 getResponseHeader() 的限制?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7462968/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Restrictions of XMLHttpRequest's getResponseHeader()?
提问by maligree
I've noticed that the results of and XMLHttpRequest.getResponseHeader()don't always match the real headers returned (if the request is made in a regular manner).
我注意到 和 的结果XMLHttpRequest.getResponseHeader()并不总是与返回的真实标头匹配(如果以常规方式发出请求)。
For example, assume I'm making an xhrrequest for https://foo.example.com/api/resource/100. In Chrome's developer console, under 'Network', I can see the response being made -- I can also see all of the response headers (say, 10). However (copy-pasted console):
例如,假设我正在xhr请求https://foo.example.com/api/resource/100. 在 Chrome 的开发者控制台中,在“网络”下,我可以看到正在做出的响应——我还可以看到所有的响应头(比如 10)。但是(复制粘贴的控制台):
> response
XMLHttpRequest
> response.getAllResponseHeaders();
"content-type: text/html
"
Are there any restrictions on what headers are available? Is this dependent on the response type? I remember getting a complete set of headers for 404s but just this one for 400s.
对可用的标头有什么限制吗?这取决于响应类型吗?我记得为 404s 获得了一套完整的标头,但对于 400s 只有这个。
What gives?
是什么赋予了?
回答by Gumbo
The current state of standardizing the XMLHttpRequest APIdoes only restrict the access to the Set-Cookieand Set-Cookie2header fields:
标准化XMLHttpRequest API的当前状态仅限制对Set-Cookie和Set-Cookie2标头字段的访问:
client.getAllResponseHeaders()
Returns all headers from the response, with the exception of those whose field name is
Set-CookieorSet-Cookie2.
客户端.getAllResponseHeaders()
返回响应中的所有标头,字段名称为
Set-Cookieor 的标头除外Set-Cookie2。
Any other header field should be returned.
应返回任何其他标头字段。
But as you're doing a cross-origin request, the browser needs to implement XMLHttpRequest Level 2as the original XMLHttpRequest does only allow same-origin requests:
但是当您在执行跨域请求时,浏览器需要实现XMLHttpRequest Level 2,因为原始 XMLHttpRequest 只允许同源请求:
The XMLHttpRequest Level 2 specification enhances the XMLHttpRequest object with new features, such as cross-origin requests […]
XMLHttpRequest Level 2 规范通过新功能增强了 XMLHttpRequest 对象,例如跨域请求 […]
There you can read that the “Cross-Origin Resource Sharing specificationfilters the headers that filters the headers that are exposed by getResponseHeader()for non same-originrequests.”. And that specification forbids access to any response header field other except the simple response header fields(i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma):
在那里你可以读到“跨源资源共享规范过滤头,这些头过滤了getResponseHeader()为非同源请求公开的头。”。并且该规范禁止访问除简单响应头字段(即Cache-Control、Content-Language、Content-Type、Expires、Last-Modified和Pragma)之外的任何响应头字段:
User agents must filter out all response headers other than those that are a simple response header […]
E.g. the
getResponseHeader()method of XMLHttpRequest will therefore not expose any header not indicated above.
用户代理必须过滤掉除简单响应头之外的所有响应头 […]
例如
getResponseHeader(), XMLHttpRequest的方法因此不会公开任何上面未指明的标头。
回答by maligree
It's the Access-Control-Allow-Originheader and the way it allows to prevent which headers are exposed to the browser. Docs at mozilla.
这是Access-Control-Allow-Origin标题以及它允许防止哪些标题暴露给浏览器的方式。mozilla 上的文档。
