从< iframe>发出的XHR请求的原始标头为空.具有沙箱属性 [英] Origin header null for XHR request made from <iframe> with sandbox attribute
问题描述
我有一个项目,我正在尝试从数据处理程序中以制表符分隔的值格式下载一些数据,但是,谷歌浏览器正在为Origin标头值发送空值.
I have a project where I am trying download some data in a tab separated value format from a datahandler however, Google Chrome is sending a null value for the Origin header value.
当我导航到以下是请求的原始标头:
Here are the raw headers on the request:
GET /DataHandlers/ReportSets.ashx?task=pagerequestsovertime&app=786b5ef3-1389-4890-8004-533fd1f66f16&format=tsv HTTP/1.1
Host: server.corp.somebiz.com
Connection: keep-alive
accept: text/tab-separated-values,*/*
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
这以控制台上的错误结束:
This ends with an error on the console:
XMLHttpRequest cannot load http://server.corp.somebiz.com/DataHandlers/ReportSets.ashx?task=pagere…6ac42b7-ba6f-4be4-b297-758ebc9fe615&start=2/1/2017&end=3/2/2017&format=tsv. The 'Access-Control-Allow-Origin' header has a value 'http://server.corp.somebiz.com' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access.
我不仅在寻找发生这种情况的原因,还有什么条件导致Chrome将空的Origin标头发送到服务器.
Not only am I looking for the why is this happening, what the conditions are that leads to Chrome sending a null Origin header to the server.
这似乎是Chrome特有的问题,因为Internet Explorer 11正在将正确的Origin值发送到服务器.
This seems to be a Chrome specific issue as Internet Explorer 11 is sending the proper Origin value to the server.
更新:要添加另一个皱纹,这可能是一个因素,也可能不是.
Update: To add another wrinkle, that may or may not be a contributing factor.
我将调用页面加载到<iframe>元素中以隔离脚本化元素.在iframe外部调用页面会导致其他行为,Chrome上的Origin标头完全丢失.
I load the calling page in an <iframe> element to isolate scripted elements. Calling the page outside of the iframe causes a different behavior, the Origin header on Chrome is missing entirely.
推荐答案
如果正在加载调用页面的iframe具有sandbox属性,其中不包含值allow-same-origin,则浏览器赋予它独特的"来源:
If the iframe you’re loading the calling page in has a sandbox attribute that doesn’t contain the value allow-same-origin, browsers give it a "unique" origin:
设置[
sandbox]属性后,会将内容视为来自唯一的来源,表单,脚本,并禁用各种可能令人讨厌的API,防止链接针对其他浏览上下文,并确保插件安全.allow-same-origin关键字导致将内容视为来自其真实来源,而不是将其强制为唯一来源
When the [
sandbox] attribute is set, the content is treated as being from a unique origin, forms, scripts, and various potentially annoying APIs are disabled, links are prevented from targeting other browsing contexts, and plugins are secured. Theallow-same-originkeyword causes the content to be treated as being from its real origin instead of forcing it into a unique origin
...,并且在确定要发送跨域请求的Origin标头的值时,浏览器会将任何唯一的源序列化为null并为Origin标头提供该值.
…and when determining the value of the Origin header to send in a cross-origin request, browsers serialize any unique origin as null and give the Origin header that value.
这篇关于从< iframe>发出的XHR请求的原始标头为空.具有沙箱属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
