为什么当在URL中提供凭据的浏览器不发送认证头? [英] Why do browsers not send the Authentication header when the credentials are provided in the URL?
问题描述
我想给用户有机会通过提供URL中的用户名和密码做每个请求的身份验证。由于该请求是安全的,我有没有顾虑。
I would like to give users the opportunity to do a per-request-authentication by providing the username and password in the URL. As the request is secure, I have no concerns on that.
我试着打电话请求的http://用户名:密码@本地/ 使用通常的浏览器(火狐,Chrome,Safari和Opera是我测试过的那些),我得到一个401响应返回。当我试图相同的URI,但这次提供的凭据作为HTTP头如认证:基本dXNlcjpwYXNzd29yZA == ,它的工作
I tried to call the request http://user:password@localhost/ using a usual browser, (Firefox, Chrome, Safari and Opera was the ones I tested) and I got a 401 response back. When I tried the same URI, but this time provided the credentials as HTTP-header like Authentication: Basic dXNlcjpwYXNzd29yZA==, it worked.
在该搜索,我发现这个答案另一个问题:<一href=\"http://serverfault.com/questions/371907/can-you-pass-user-pass-for-http-basic-authentication-in-url-parameters#answer-371918\">http://serverfault.com/questions/371907/can-you-pass-user-pass-for-http-basic-authentication-in-url-parameters#answer-371918
When searching for that, I found this answer to another question: http://serverfault.com/questions/371907/can-you-pass-user-pass-for-http-basic-authentication-in-url-parameters#answer-371918
这个回答称,浏览器应自动生成认证头出在URL中提供的凭据。
This answer claims, that the browser should automatically generate the Authentication header out of the credentials provided in the URL.
在尝试它使用curl命令行上,它的工作原理。那么,为什么没有在浏览器中运行?
When trying it on the command line using curl, it works. So, why doesn't it work in the browser?
有这事做的安全?
Firefox是唯一一位自称:
Firefox is the only one claiming:
您即将登录到该网站本地主机的用户名用户,但网站不要求身份验证。这可能是
试图欺骗你。
You are about to log in to the site "localhost" with the username "user", but the website does not require authentication. This may be an attempt to trick you.
是本地主机要访问的网站?
Is "localhost" the site you want to visit?
但点击确认这一请求时,是的,它不发证书的请求。至少,我看不到他们在Firebug的网络选项卡...和响应是401了。
But when confirming this request by clicking on yes, it sends the request without credentials. At least, I can't see them in the network-tab of firebug ... and the response is a 401, too.
推荐答案
是的,它是关于安全性,它是关于选择。
Yes it is about security, and it is about choice.
首先,当您使用卷曲你上面提到的操作,卷曲默认为,并假定您要基本身份验证(除非你指定别的东西,是的名称是真正的基础)。
First of all, when you use curl to do the operation you mention above, curl defaults to and assumes that you want Basic authentication (unless you specify something else, and yes the name is truly "Basic").
如果你问卷曲做HTTP认证有一个方法,你提供的凭据,然后决定它可以发送AUTH头的时候了。如果你而要求它做多个auth类型(其中libcurl的基础库可以做到),那么它的不会发送的auth头中的第一个请求,但是这反而派出一个非权威性请看看哪些方法服务器需要 - 就像浏览器做
If you ask curl to do HTTP auth with a single method and you provide the credentials, then it decides it can send the auth headers right away. If you instead ask it to do several auth types (which libcurl the underlying library can do), then it won't send any auth header in the first request, but it will instead send a non-auth request to see which methods the server wants - like the browsers do.
在浏览器的情况下,他们总是有多重身份验证方案接近,使他们不认为你需要基本身份验证,并通过这样做,他们不会盲目地以明文形式在网络上发送您的用户+密码。然后,他们只会做,如果服务器实际上只希望基本(或浏览器不支持任何更AUTH类型的服务器支持)。
In the browsers case, they always have the multiple-auth schemes approach so they don't assume you want Basic auth and by doing so, they don't blindly send your user+password over the network in the clear. They will then only do that if the server actually only wants Basic (or the browser doesn't support whatever more auth types the server supports).
我希望这有点澄清的事情。
I hope this clarifies things somewhat.
这篇关于为什么当在URL中提供凭据的浏览器不发送认证头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
