Websockets 客户端 API 中的 HTTP 标头 [英] HTTP headers in Websockets client API

问题描述

看起来很容易使用任何支持此功能的 HTTP 标头客户端将自定义 HTTP 标头添加到您的 websocket 客户端，但我找不到如何使用 JSON API 做到这一点.

Looks like it's easy to add custom HTTP headers to your websocket client with any HTTP header client which supports this, but I can't find how to do it with the JSON API.

然而，似乎应该支持规范中的这些标头.

有人知道如何实现它吗?

Anyone has a clue on how to achieve it?

var ws = new WebSocket("ws://example.com/service");

具体来说，我需要能够发送 HTTP 授权标头.

Specifically, I need to be able to send an HTTP Authorization header.

推荐答案

更新 2x

简短回答:不能，只能指定路径和协议字段.

更长的答案:

JavaScript WebSockets API 中没有用于指定附加客户端/浏览器要发送的标头.可以在 WebSocket 构造函数中指定 HTTP 路径(GET/xyz")和协议标头(Sec-WebSocket-Protocol").

There is no method in the JavaScript WebSockets API for specifying additional headers for the client/browser to send. The HTTP path ("GET /xyz") and protocol header ("Sec-WebSocket-Protocol") can be specified in the WebSocket constructor.

Sec-WebSocket-Protocol 标头(有时会扩展以用于特定于 websocket 的身份验证)是从 WebSocket 构造函数的可选第二个参数生成的:

The Sec-WebSocket-Protocol header (which is sometimes extended to be used in websocket specific authentication) is generated from the optional second argument to the WebSocket constructor:

var ws = new WebSocket("ws://example.com/path", "protocol");
var ws = new WebSocket("ws://example.com/path", ["protocol1", "protocol2"]);

以上结果产生以下标题:

The above results in the following headers:

Sec-WebSocket-Protocol: protocol

和

Sec-WebSocket-Protocol: protocol1, protocol2

实现 WebSocket 身份验证/授权的常见模式是实现票务系统，其中托管 WebSocket 客户端的页面从服务器请求票证，然后在 WebSocket 连接建立期间通过 URL/查询字符串或协议字段，或作为连接建立后的第一条消息.然后，如果票证有效(存在、尚未使用、票证中编码的客户端 IP 匹配、票证中的时间戳是最近的等)，服务器仅允许连接继续.以下是 WebSocket 安全信息的摘要:https://devcenter.heroku.com/articles/websocket-安全

A common pattern for achieving WebSocket authentication/authorization is to implement a ticketing system where the page hosting the WebSocket client requests a ticket from the server and then passes this ticket during WebSocket connection setup either in the URL/query string, in the protocol field, or required as the first message after the connection is established. The server then only allows the connection to continue if the ticket is valid (exists, has not been already used, client IP encoded in ticket matches, timestamp in ticket is recent, etc). Here is a summary of WebSocket security information: https://devcenter.heroku.com/articles/websocket-security

基本身份验证以前是一个选项，但这已被弃用，即使指定了标头，现代浏览器也不会发送标头.

Basic authentication was formerly an option but this has been deprecated and modern browsers don't send the header even if it is specified.

基本身份验证信息(已弃用 - 不再可用):

注意:以下信息在任何现代浏览器中都不再准确.

NOTE: the following information is no longer accurate in any modern browsers.

Authorization 标头是从 WebSocket URI 的用户名和密码(或只是用户名)字段生成的:

The Authorization header is generated from the username and password (or just username) field of the WebSocket URI:

var ws = new WebSocket("ws://username:password@example.com")

上面的结果是带有字符串username:password"的以下标头；base64 编码:

The above results in the following header with the string "username:password" base64 encoded:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

我在 Chrome 55 和 Firefox 50 中测试了基本身份验证，并验证基本身份验证信息确实是与服务器协商的(这在 Safari 中可能不起作用).

I have tested basic auth in Chrome 55 and Firefox 50 and verified that the basic auth info is indeed negotiated with the server (this may not work in Safari).

感谢 Dmitry Frank 的基本身份验证回答

Thanks to Dmitry Frank's for the basic auth answer

这篇关于Websockets 客户端 API 中的 HTTP 标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！