Javascript 如何防止 angular.js $http 对象发送 X-Requested-With 标头?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12312659/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to prevent angular.js $http object from sending X-Requested-With header?
提问by opensas
Angular.js, when accessing a web service using the $http object, automatically adds a X-Requested-With:XMLHttpRequest header to the request.
Angular.js 在使用 $http 对象访问 Web 服务时,会自动向请求添加 X-Requested-With:XMLHttpRequest 标头。
The web service I am accessing using CORS doesn't support X-Requested-With header, so I tried to eliminate it but I can't acess the $httpProvider object. I get an undefined object error, and if I reference it in the controllers parameters, so that angular injects it I get a "Error: Unknown provider: $httpProviderProvider <- $httpProvider"
我使用 CORS 访问的 Web 服务不支持 X-Requested-With 标头,因此我试图消除它,但无法访问 $httpProvider 对象。我收到一个未定义的对象错误,如果我在控制器参数中引用它,以便 angular 注入它,我会收到一个“错误:未知提供者:$httpProviderProvider <- $httpProvider”
So I wonder how can I access the $httpProvider, like it says in the docs (http://docs.angularjs.org/api/ng.$http) to tell angular.js not to send that header...
所以我想知道如何访问 $httpProvider,就像它在文档(http://docs.angularjs.org/api/ng.$http)中所说的那样告诉 angular.js 不要发送那个标头......
回答by Justen
angular.module('myModule', [])
.config(['$httpProvider', function($httpProvider) {
delete $httpProvider.defaults.headers.common["X-Requested-With"]
}])
回答by opensas
I found that, besides Justen answer, I can also do it on a per request basis like this:
我发现,除了 Justen 的回答之外,我还可以根据每个请求进行操作,如下所示:
delete $http.defaults.headers.common['X-Requested-With']
回答by Josue Alexander Ibarra
Since Angular JS version 1.1.1 removing the header is no longer necessary.
由于 Angular JS 版本 1.1.1 不再需要删除标题。
See the change log:
https://github.com/angular/angular.js/blob/master/CHANGELOG.md#111-pathological-kerning-2012-11-26
查看变更日志:https:
//github.com/angular/angular.js/blob/master/CHANGELOG.md#111-pathological-kerning-2012-11-26
For people like me who were using the header to identify ajax requests and respond to them differently.
对于像我这样使用标头来识别 ajax 请求并以不同方式响应它们的人。
e.g. making a request after the session expires.
例如,在会话到期后发出请求。
You can re-enable the header like so:
您可以像这样重新启用标题:
angular.module('yourModule', [])
.config(['$httpProvider', function($httpProvider) {
$httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
}]);
回答by ofthelit
Since Angular JS version 1.1.1 removing the header is no longer necessary. This change got mentioned on https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers
由于 Angular JS 版本 1.1.1 不再需要删除标题。https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers 上提到了这一变化
As shown by Josue, this can be easily added to all requests again as follows:
如 Josue 所示,这可以很容易地再次添加到所有请求中,如下所示:
angular.module('yourModule', [])
.config(['$httpProvider', function($httpProvider) {
$httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
}]);
Set the configuration for the header to undefinedto remove the header for specific external requests.
将标头的配置设置为 undefined以删除特定外部请求的标头。
let urlExternalValidator = 'https://openiban.com/validate/' + this.iban + '?getBIC=true&validateBankCode=true';
this.$http.get(urlExternalValidator, {
// simple request to not trigger a CORS preflight
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
headers: {
'X-Requested-With': undefined
}
})
In addition, you can supply a headers property in the config object passed when calling $http(config), which overrides the defaults without changing them globally.
To explicitly remove a header automatically added via $httpProvider.defaults.headers on a per request basis, Use the headers property, setting the desired header to undefined
此外,您可以在调用 $http(config) 时传递的 config 对象中提供 headers 属性,它会覆盖默认值而不会全局更改它们。
要在每个请求的基础上显式删除通过 $httpProvider.defaults.headers 自动添加的标头,请使用标头属性,将所需标头设置为未定义
https://docs.angularjs.org/api/ng/service/$http#setting-http-headers
https://docs.angularjs.org/api/ng/service/$http#setting-http-headers
