什么是第X-要求，随着头部的地步？ [英] What's the point of X-Requested-With header?

问题描述

jQuery和其他框架中添加下列头：

JQuery and other frameworks add the following header:

X-要求，通过：XMLHtt prequest

X-Requested-With: XMLHttpRequest

这是为什么需要？为什么一台服务器要正确对待AJAX​​请求不同于正常的请求？

Why is this needed? Why would a server want to treat AJAX requests differently than normal requests?

更新：我刚刚发现用这个头一个真实的例子：<一href="https://core.s$p$pedly.com/manual/payment-methods/adding-with-js">https://core.s$p$pedly.com/manual/payment-methods/adding-with-js.如果要求付款处理器没有AJAX，它重定向回原来的网站时，它的完成。当要求与AJAX，没有重定向就完成了。

UPDATE: I just found a real-life example using this header: https://core.spreedly.com/manual/payment-methods/adding-with-js. If the payment processor is requested without AJAX, it redirects back to the original website when it's done. When it is requested with AJAX, no redirection is done.

推荐答案

一个很好的理由是出于安全 - 这可以prevent的 CSRF攻击的，因为这个头无法通过的 CORS 。

A good reason is for security - this can prevent CSRF attacks because this header cannot be added to the AJAX request cross domain without the consent of the server via CORS.

只有以下标题允许跨域：

Only the following headers are allowed cross domain:

  
• 在接受
  
• 在接受语言
  
• 内容语言
  
• 最后-事件ID
  
• 内容类型
  

• Accept
• Accept-Language
• Content-Language
• Last-Event-ID
• Content-Type

其他任何导致发出一个pre-飞行请求CORS支持的浏览器。

any others cause a "pre-flight" request to be issued in CORS supported browsers.

没有CORS就不可能加入 X-要求 - 以来跨域XHR请求。

Without CORS it is not possible to add X-Requested-With to a cross domain XHR request.

如果服务器在检查了这头是present，它知道该请求未从攻击者的域开始试图使代表支持JavaScript的用户的请求。这也将检查请求没有从一个普通的HTML形式，它是很难核实该公司公布是不是跨域，而无需使用令牌。 （然而，<一个href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_$p$pvention_Cheat_Sheet#Checking_The_Origin_Header">checking在原产地头可以在支持的浏览器的选项，虽然你会离开旧的浏览器弱势。）

If the server is checking that this header is present, it knows that the request didn't initiate from an attacker's domain attempting to make a request on behalf of the user with JavaScript. This also checks that the request wasn't POSTed from a regular HTML form, of which it is harder to verify it is not cross domain without the use of tokens. (However, checking the Origin header could be an option in supported browsers, although you will leave old browsers vulnerable.)

这篇关于什么是第X-要求，随着头部的地步？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！