X-Requested-With 标头有什么意义? [英] What's the point of the X-Requested-With header?

问题描述

JQuery 等框架添加如下头部:

JQuery and other frameworks add the following header:

X-Requested-With: XMLHttpRequest

X-Requested-With: XMLHttpRequest

为什么需要这个?为什么服务器要以不同于普通请求的方式对待 AJAX 请求?

Why is this needed? Why would a server want to treat AJAX requests differently than normal requests?

更新:我刚刚找到了一个使用此标题的真实示例:https://core.spreedly.com/manual/payment-methods/adding-with-js.如果在没有 AJAX 的情况下请求支付处理器，它会在完成后重定向回原始网站.使用 AJAX 请求时，不进行重定向.

UPDATE: I just found a real-life example using this header: https://core.spreedly.com/manual/payment-methods/adding-with-js. If the payment processor is requested without AJAX, it redirects back to the original website when it's done. When it is requested with AJAX, no redirection is done.

推荐答案

一个很好的理由是为了安全 - 这可以防止 CSRF 攻击，因为在未经服务器同意的情况下，无法通过 CORS.

A good reason is for security - this can prevent CSRF attacks because this header cannot be added to the AJAX request cross domain without the consent of the server via CORS.

跨源仅允许使用以下标头:

Only the following headers are allowed across origins:

• 接受
• 接受语言
• 内容语言
• 最后一个事件 ID
• 内容类型

任何其他原因导致飞行前"在支持 CORS 的浏览器中发出请求.

any others cause a "pre-flight" request to be issued in CORS supported browsers.

如果没有 CORS，就不可能将 X-Requested-With 添加到跨域 XHR 请求中.

Without CORS it is not possible to add X-Requested-With to a cross domain XHR request.

如果服务器正在检查此标头是否存在，则它知道该请求不是从试图代表用户使用 JavaScript 发出请求的攻击者的域发起的.这也检查请求不是从常规 HTML 表单发布的，如果不使用令牌，则很难验证它不是跨域的.(但是，检查Origin标头 可能是受支持浏览器中的一个选项，尽管您会让旧浏览器容易受到攻击.)

If the server is checking that this header is present, it knows that the request didn't initiate from an attacker's domain attempting to make a request on behalf of the user with JavaScript. This also checks that the request wasn't POSTed from a regular HTML form, of which it is harder to verify it is not cross domain without the use of tokens. (However, checking the Origin header could be an option in supported browsers, although you will leave old browsers vulnerable.)

您可能希望将此与令牌结合，因为 Flash 在 OSX 上的 Safari 上运行 如果有重定向步骤，可以设置此标头.看起来它也适用于 Chrome，但现在已修复.此处提供更多详细信息，包括受影响的不同版本.

You may wish to combine this with a token, because Flash running on Safari on OSX can set this header if there's a redirect step. It appears it also worked on Chrome, but is now remediated. More details here including different versions affected.

OWASP 建议将此与 Origin 和 Referer 检查结合起来:

这种防御技术在第 4.3 节中有专门讨论跨站点请求伪造的强大防御.然而，绕过这种使用 Flash 的防御早在 2008 年就有记录，并在最近在 2015 年由 Mathias Karlsson 利用 Vimeo 中的 CSRF 缺陷.但是，我们认为 Flash 攻击不能欺骗 Origin 或引用标头因此通过检查它们我们相信这一点检查的组合应该可以防止 Flash 绕过 CSRF 攻击.(笔记:如果有人可以证实或反驳这一信念，请告诉我们，以便我们可以更新这篇文章)

This defense technique is specifically discussed in section 4.3 of Robust Defenses for Cross-Site Request Forgery. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to exploit a CSRF flaw in Vimeo. But, we believe that the Flash attack can't spoof the Origin or Referer headers so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks. (NOTE: If anyone can confirm or refute this belief, please let us know so we can update this article)

但是，由于已经讨论过的原因，检查 Origin 可能很棘手.

However, for the reasons already discussed checking Origin can be tricky.

在 CORS、CSRF 和 X-Requested-With 在这里.

这篇关于X-Requested-With 标头有什么意义?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！