是否有任何浏览器将原始标头设置为“null"?对于隐私敏感的环境? [英] Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?

问题描述

Origin spec 表示 Origin 标头可以设置为null".这通常在请求来自用户计算机上的文件而不是来自托管网页时完成.该规范还指出，如果请求来自隐私敏感"的用户，则 Origin 可能为空.上下文.

The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.

我的问题:什么是隐私敏感"?上下文，是否有任何浏览器表现出这种行为?

My questions: What is a "privacy-sensitive" context, and are there any browsers that exhibit this behavior?

以下是 Origin 规范的完整措辞:

Here is the full phrasing from the Origin spec:

每当用户代理从隐私敏感"在上下文中，用户代理必须发送值null"；在 Origin 标头字段中.

Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Origin header field.

注意:本文档没有定义隐私敏感的概念语境.生成 HTTP 请求的应用程序可以指定对隐私敏感的上下文对用户如何施加限制代理生成 Origin 标头字段.

NOTE: This document does not define the notion of a privacy-sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields.

推荐答案

我终于找到了答案.至少还有另一种情况，Origin 标头可能为null".在 CORS 请求期间跟随重定向时，如果请求被重定向到不同服务器上的 URL，则 Origin 标头将更改为null".我想这被认为是隐私敏感上下文"，因为浏览器不想将原始来源泄露给新服务器，因为客户端可能一开始并不打算向新服务器发出请求.

I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.

这篇关于是否有任何浏览器将原始标头设置为“null"?对于隐私敏感的环境?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！