XMLHttpRequest的getResponseHeader()的限制? [英] Restrictions of XMLHttpRequest's getResponseHeader()?
问题描述
我注意到和 XMLHttpRequest.getResponseHeader()
的结果并不总是与返回的实际标头匹配(如果请求是以常规方式进行的) 。
I've noticed that the results of and XMLHttpRequest.getResponseHeader()
don't always match the real headers returned (if the request is made in a regular manner).
例如,假设我正在为 https进行
。在Chrome的开发者控制台中,在网络下,我可以看到正在进行的响应 - 我还可以看到所有响应标头(例如,10)。但是(复制粘贴的控制台): xhr
请求:/ /foo.example.com/api/resource/100
For example, assume I'm making an xhr
request for https://foo.example.com/api/resource/100
. In Chrome's developer console, under 'Network', I can see the response being made -- I can also see all of the response headers (say, 10). However (copy-pasted console):
> response
XMLHttpRequest
> response.getAllResponseHeaders();
"content-type: text/html
"
是否有任何限制什么标题可用?这取决于响应类型吗?我记得为404s获得了一套完整的标题,但这只是400s的标题。
Are there any restrictions on what headers are available? Is this dependent on the response type? I remember getting a complete set of headers for 404s but just this one for 400s.
给出了什么?
推荐答案
标准化 XMLHttpRequest API 的当前状态仅适用于限制对 Set-Cookie 和 Set-Cookie2 标题字段的访问:
The current state of standardizing the XMLHttpRequest API does only restrict the access to the Set-Cookie and Set-Cookie2 header fields:
客户端 .getAllResponseHeaders()
client.getAllResponseHeaders()
返回响应中的所有标头,但字段名称除外是 Set-Cookie
或 Set-Cookie2
。
Returns all headers from the response, with the exception of those whose field name is Set-Cookie
or Set-Cookie2
.
应返回任何其他标题字段。
Any other header field should be returned.
但是当您正在进行跨源请求时,浏览器需要实现 XMLHttpRequest Level 2 ,因为原始XMLHttpRequest仅允许同源请求:
But as you’re doing a cross-origin request, the browser needs to implement XMLHttpRequest Level 2 as the original XMLHttpRequest does only allow same-origin requests:
XMLHttpRequest Level 2规范使用新功能增强XMLHttpRequest对象,例如跨源请求[...]
The XMLHttpRequest Level 2 specification enhances the XMLHttpRequest object with new features, such as cross-origin requests […]
在那里你可以读到跨源资源共享规范过滤标题过滤 getResponseHeader()为非< a href =http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#same-origin\"rel =noreferrer>同源请求。并且该规范禁止访问除简单响应标题字段<之外的任何响应标头字段/ a>(即缓存控制,内容 - 语言,内容类型,过期, Last-Modified 和 Pragma ):
There you can read that the "Cross-Origin Resource Sharing specification filters the headers that filters the headers that are exposed by getResponseHeader() for non same-origin requests.". And that specification forbids access to any response header field other except the simple response header fields (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma):
用户代理必须过滤掉所有其他响应标头比那些简单的响应标题[...]
User agents must filter out all response headers other than those that are a simple response header […]
例如因此,XMLHttpRequest的 getResponseHeader()
方法不会暴露任何未在上面指出的标题。
E.g. the getResponseHeader()
method of XMLHttpRequest will therefore not expose any header not indicated above.
这篇关于XMLHttpRequest的getResponseHeader()的限制?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!