ajax CORS 和 Origin 标头?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15988323/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CORS and Origin header?
提问by Royi Namir
When we need to invoke an Ajax request we do :
当我们需要调用 Ajax 请求时,我们会这样做:
if(typeof XMLHttpRequest !== 'undefined') xhr = new XMLHttpRequest();
else
{
var versions = ["Microsoft.XmlHttp",
"MSXML2.XmlHttp",
"MSXML2.XmlHttp.3.0",
"MSXML2.XmlHttp.4.0",
"MSXML2.XmlHttp.5.0"
];
I already know that using XMLHttpRequest-2,we can make a cross origin request ANDthat the ORIGIN header is added.
我已经知道,使用XMLHttpRequest-2,我们可以做一个跨源请求和该ORIGIN头被添加。
Question:
题:
Whendoes this header added ?
- Is it added when a browser (that support CORS) is performing a request ? ( cross domain or non-cross-domain?)
- Or is it added automatically when the browser "sees" that the request target origin is different from the current origin...
这个标题什么时候添加?
- 它是在浏览器(支持 CORS)执行请求时添加的吗?(跨域还是非跨域?)
- 还是当浏览器“看到”请求目标源与当前源不同时自动添加...
I mean : what the He** does the bold line mean ?
我的意思是:粗体的 He** 是什么意思?
Cross-origin HTTP requests have an Origin header. This header provides the server with the request's origin. This header is protected by the browser and cannot be changed from application code. In essence, it is the network equivalent of the origin property found on message events used in Cross Document Messaging. The origin header differs from the older referer [sic] header in that the referer is a complete URL including the path. Because the path may contain sensitive information, the referer is sometimes not sent by browsers attempting to protect user privacy. However, the browser will always send the required Origin headers when necessary.
跨域 HTTP 请求有一个 Origin 标头。此标头向服务器提供请求的来源。此标头受浏览器保护,不能从应用程序代码中更改。本质上,它是在跨文档消息传递中使用的消息事件上找到的原始属性的网络等效项。源头与旧的引用器 [sic] 头的不同之处在于引用器是一个完整的 URL,包括路径。因为路径可能包含敏感信息,所以有时浏览器不会发送引用以保护用户隐私。但是,浏览器将始终在必要时发送所需的 Origin 标头。
回答by Paul S.
The Originheader
该产地头
When this header is added ?
添加此标头时?
During the header's stage, before the document's body is sent (after open, before send).
在标题阶段,在发送文档正文open之前(之后,之前send)。
Is it added when a browser (that support CORS) is doing a request ? ( cross domain or non-cross-domain?)
它是在浏览器(支持 CORS)执行请求时添加的吗?(跨域还是非跨域?)
It is added when the origin doesn't match the page from which the XMLHttpRequestis created, but may also be sent in a same-origin request.
当源与创建XMLHttpRequest的页面不匹配时添加它,但也可以在同源请求中发送。
Or does it added automatically when the browser "sees" that the request target origin is different from the current origin...
还是当浏览器“看到”请求目标源与当前源不同时自动添加...
Yes.
是的。
However, the browser will always send the required Origin headers when necessary.
但是,浏览器将始终在必要时发送所需的 Origin 标头。
This is part of the XMLHttpRequestspec; if you're making a cross-domain request, in the request headers an extra header is sent. This header is e.g. Origin: http://www.stackoverflow.comand is appended by a standards-following browser without user interaction.
这是XMLHttpRequest规范的一部分;如果您要进行跨域请求,则会在请求标头中发送一个额外的标头。例如Origin: http://www.stackoverflow.com,此标头由遵循标准的浏览器附加,无需用户交互。
You can read more on the specification in MozillaWiki's Security section, WHATWGand html5.org. It is implemented by (that I know of) FireFox and Google Chrome. I don't believe it is part of W3C yet. Further do not assume the origin header is true, as it can be set manually by modified borwsers or other software.
您可以在MozillaWiki 的安全部分、WHATWG和html5.org 中阅读有关规范的更多信息。它是由(据我所知)FireFox 和 Google Chrome 实现的。我不相信它是 W3C 的一部分。此外,不要假设原始标头为 true,因为它可以通过修改的浏览器或其他软件手动设置。
回答by Robyflc
The origin header is added automatically (generally) when you do a cross domain request.
当您执行跨域请求时,原始标头会自动(通常)添加。
To test it, I opened the console on this page and made two different requests: one for another domain and one for '/' and just the first got the origin header added.
为了测试它,我在此页面上打开了控制台并发出了两个不同的请求:一个请求另一个域,一个请求 '/',并且第一个请求添加了原始标头。
BTW, I'm using JQuery for it and I'd really advise you to use it too in order to have the same behavior cross-browser.
顺便说一句,我正在使用 JQuery,我真的建议您也使用它,以便跨浏览器具有相同的行为。
For complementary info on the subject, check this:
有关该主题的补充信息,请查看:
The first thing to note is that a valid CORS request alwayscontains an Origin header. This Origin header is added by the browser, and can not be controlled by the user. The value of this header is the scheme (e.g. http), domain (e.g. bob.com) and port (included only if it is not a default port, e.g. 81) from which the request originates; for example: http://api.alice.com.
The presence of the Origin header does not necessarily mean that the request is a cross-origin request. While all cross-origin requests will contain an Origin header, some same-origin requests might have one as well. For example, Firefox doesn't include an Origin header on same-origin requests. But Chrome and Safari include an Origin header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header).
首先要注意的是,有效的 CORS 请求始终包含一个 Origin 标头。此 Origin 标头是浏览器添加的,用户无法控制。该标头的值是请求发起的方案(例如 http)、域(例如 bob.com)和端口(仅当它不是默认端口时才包括在内,例如 81);例如:http: //api.alice.com。
Origin 标头的存在并不一定意味着该请求是跨域请求。虽然所有跨域请求都包含一个 Origin 标头,但一些同源请求也可能包含一个。例如,Firefox 不会在同源请求中包含 Origin 标头。但是 Chrome 和 Safari 在同源 POST/PUT/DELETE 请求中包含一个 Origin 标头(同源 GET 请求将没有 Origin 标头)。
