在 Angular 应用程序中将 http 标头添加到 window.location.href [英] Adding http headers to window.location.href in Angular app

问题描述

我有一个角度应用程序，我需要将它重定向到一个非角度的 html 页面，所以我想我可以使用 $window.location.href 将角度应用程序重定向到我的外部地点.这实际上工作正常，但是，我有一个 nodejs/express 后端，它在提供任何内容(甚至是静态内容)之前检查身份验证令牌.

I have a angular app that I needed to redirect outside to a non angular html page, so I thought I could just use the $window.location.hrefto redirect the angular app to my external site. This actually works fine, however, I have a nodejs/express backend that checks for auth token before serving up any content(even static content).

这需要在 http 请求的标头中发送身份验证令牌.现在的问题:

This requires a auth token to be sent in the header of the http request. Now the question:

您可以/如何在发送之前通过更改 $window.location.href 向发出的请求添加身份验证令牌?

Can/How do you add an auth token to the request that is made by changing the $window.location.href before it is sent off?

推荐答案

当您使用 $window.location.href 时，浏览器发出的是 HTTP 请求，而不是您的 JavaScript 代码.因此，您不能使用令牌值添加像 Authorization 这样的自定义标头.

When you use $window.location.href the browser is making the HTTP request and not your JavaScript code. Therefore, you cannot add a custom header like Authorization with your token value.

您可以通过 JavaScript 添加一个 cookie 并将您的身份验证令牌放在那里.cookie 将自动从浏览器发送.但是，您需要查看使用 cookie 与标头的安全隐患.由于两者都可以通过 JavaScript 访问，因此没有额外的攻击向量.除非您在新页面加载后删除 cookie，否则可能存在 CSRF 漏洞利用.

You could add a cookie via JavaScript and put your auth token there. The cookies will automatically be sent from the browser. However, you will want to review the security implications of using a cookie vs. a header. Since both are accessible via JavaScript, there is no additional attack vector there. Unless you remove the cookie after the new page loads, there may be a CSRF exploit available.

这篇关于在 Angular 应用程序中将 http 标头添加到 window.location.href的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！