Javascript WebKit“拒绝设置不安全的标头‘内容长度’”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2623963/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
WebKit "Refused to set unsafe header 'content-length'"
提问by bobince
I am trying to implement simple xhr abstraction, and am getting this warning when trying to set the headers for a POST. I think it might have something to do with setting the headers in a separate js file, because when i set them in the <script>tag in the .html file, it worked fine. The POST request is working fine, but I get this warning, and am curious why. I get this warning for both content-lengthand connectionheaders, but only in WebKit browsers (Chrome 5 beta and Safari 4). In Firefox, I don't get any warnings, the Content-Length header is set to the correct value, but the Connection is set to keep-alive instead of close, which makes me think that it is also ignoring my setRequestHeader calls and generating it's own. I have not tried this code in IE. Here is the markup & code:
我正在尝试实现简单的 xhr 抽象,并且在尝试为 POST 设置标头时收到此警告。我认为这可能与在单独的 js 文件中设置标题有关,因为当我<script>在 .html 文件的标签中设置它们时,它工作正常。POST 请求工作正常,但我收到此警告,并且很好奇为什么。我对content-length和connection标题都收到此警告,但仅在 WebKit 浏览器(Chrome 5 beta 和 Safari 4)中。在 Firefox 中,我没有收到任何警告,Content-Length 标头设置为正确的值,但 Connection 设置为 keep-alive 而不是 close,这让我认为它也忽略了我的 setRequestHeader 调用并生成它自己的。我还没有在 IE 中尝试过这段代码。这是标记和代码:
test.html:
test.html:
<!DOCTYPE html>
<html>
<head>
<script src="jsfile.js"></script>
<script>
var request = new Xhr('POST', 'script.php', true, 'data=somedata', function(data) {
console.log(data.text);
});
</script>
</head>
<body>
</body>
</html>
jsfile.js:
jsfile.js:
function Xhr(method, url, async, data, callback) {
var x;
if(window.XMLHttpRequest) {
x = new XMLHttpRequest();
x.open(method, url, async);
x.onreadystatechange = function() {
if(x.readyState === 4) {
if(x.status === 200) {
var data = {
text: x.responseText,
xml: x.responseXML
};
callback.call(this, data);
}
}
}
if(method.toLowerCase() === "post") {
x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
x.setRequestHeader("Content-Length", data.length);
x.setRequestHeader("Connection", "close");
}
x.send(data);
} else {
// ... implement IE code here ...
}
return x;
}
回答by bobince
it is also ignoring my setRequestHeader calls and generating its own
它也忽略我的 setRequestHeader 调用并生成自己的
Yes, the standardsays it must:
是的,标准规定它必须:
For security reasons, these steps should be terminated if header is [...]
- Connection
- Content-Length
出于安全原因,如果 header 是 [...]
- 联系
- 内容长度
Messing around with those could expose various request smugglingattacks, so the browser always uses its own values. There's no need or reason to try to set the request length, as the browser can do that accurately from the length of data you pass to send().
弄乱这些可能会暴露各种请求走私攻击,因此浏览器始终使用自己的值。没有必要或理由尝试设置请求长度,因为浏览器可以根据您传递给send().
