是否有任何浏览器将原始标头设置为“null”对隐私敏感的上下文? [英] Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?
问题描述
Origin spec 表示 Origin 标头可能设置为null。这通常在请求来自用户计算机上的文件而不是来自托管网页时完成。规范还声明,如果请求来自隐私敏感上下文,则Origin可以为null。
我的问题:什么是隐私敏感上下文,是否有显示此行为的浏览器?
以下是Origin规范的完整短语:
每当用户代理从
发出HTTP请求时,隐私敏感上下文,用户代理必须在Origin头字段中发送值null
。
注意:本文档没有定义概念的隐私敏感的
上下文。生成HTTP请求的应用程序可以将
上下文指定为对隐私敏感,以对用户
代理如何生成Origin标头字段施加限制。
我终于找到了一个答案。还有至少一种其他情况,其中 Origin 头可以是null。当在CORS请求期间跟踪重定向时,如果请求重定向到不同服务器上的URL,则 Origin 头将更改为null。我认为这被认为是一个隐私敏感的上下文,因为浏览器不想泄漏原来的来源到新的服务器,因为客户端可能不打算向新服务器发出请求。 / p>
The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.
My questions: What is a "privacy-sensitive" context, and are there any browsers that exhibit this behavior?
Here is the full phrasing from the Origin spec:
Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Origin header field.
NOTE: This document does not define the notion of a privacy-sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields.
I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.
这篇关于是否有任何浏览器将原始标头设置为“null”对隐私敏感的上下文?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
