CORS和Origin头? [英] CORS and Origin header?
问题描述
当我们需要做的Ajax请求,我们做的:
如果(!typeof运算XMLHtt prequest ==未定义)XHR =新XMLHtt prequest();
其他
{
变种版本= [Microsoft.XmlHttp
MSXML2.XMLHTTP
MSXML2.XmlHttp.3.0
MSXML2.XmlHttp.4.0
MSXML2.XmlHttp.5.0
]。
我已经知道,使用 XMLHtt prequest-2 ,我们就可以进行跨起源请求。
和的由来头被添加。
我的问题是:
-
在这头被添加?
- 是它增加时,浏览器(即支持CORS)是干什么的要求? (跨域或非跨域?)
- 还是它会自动添加,当浏览器看到的要求目标原点是从当前的原点...... 不同
我的意思是:什么他**不粗线意味着什么吗?
跨域的HTTP请求有一个原产地的头。这个头 提供服务器请求的来源。这头是 由浏览器保护,不能从应用code改变。 在本质上,它是在网络等效原点属性的发现 在跨文档消息中使用的消息的事件。起源头 不同于较旧的referer [原文如此]报头,所述引用者是一个 完整的URL包括路径。因为路径可能包含 敏感信息,引用者有时不被浏览器发送 试图保护用户隐私。 但是,浏览器总会 必要时发送所需的产地标题
在原产地头
在这头被添加?
在头部的阶段,之前该文件的身体被发送(后打开,在发送)。
时它增加时,浏览器(即支持CORS)是干什么的要求? (跨域或非跨域?)
有被添加时的原点不匹配页从其中的 XMLHtt prequest 的创建,但也可以在一个同源请求发送
还是它会自动添加,当浏览器看到的要求目标原点是从当前的原点......
不同
是的。
不过,浏览器总是会在必要的时候发出所需的产地标头。
这是一部分的 XMLHtt prequest 的规范;如果你正在做一个跨域请求,请求头一个额外的头被发送。这头是如产地:http://www.stackoverflow.com ,并通过附加一个标准以下的浏览器,而无需用户交互
您可以阅读更多的在
When we need to do ajax request we do :
if(typeof XMLHttpRequest !== 'undefined') xhr = new XMLHttpRequest();
else
{
var versions = ["Microsoft.XmlHttp",
"MSXML2.XmlHttp",
"MSXML2.XmlHttp.3.0",
"MSXML2.XmlHttp.4.0",
"MSXML2.XmlHttp.5.0"
];
I've know that using XMLHttpRequest-2 ,we can make cross origin request.
AND the ORIGIN header is added.
My question is :
When this header is added ?
- Is it added when a browser (that support CORS) is doing a request ? ( cross domain or non-cross-domain?)
- Or does it added automatically when the browser "sees" that the request target origin is different from the current origin...
I mean : what the He** does the bold line means ?
Cross-origin HTTP requests have an Origin header. This header provides the server with the request’s origin. This header is protected by the browser and cannot be changed from application code. In essence, it is the network equivalent of the origin property found on message events used in Cross Document Messaging. The origin header differs from the older referer [sic] header in that the referer is a complete URL including the path. Because the path may contain sensitive information, the referer is sometimes not sent by browsers attempting to protect user privacy. However, the browser will always send the required Origin headers when necessary.
The Origin header
When this header is added ?
During the header's stage, before the document's body is sent (after open, before send).
Is it added when a browser (that support CORS) is doing a request ? ( cross domain or non-cross-domain?)
It is added when the origin doesn't match the page from which the XMLHttpRequest is created, but may also be sent in a same-origin request.
Or does it added automatically when the browser "sees" that the request target origin is different from the current origin...
Yes.
However, the browser will always send the required Origin headers when necessary.
This is part of the XMLHttpRequest spec; if you're making a cross-domain request, in the request headers an extra header is sent. This header is e.g. Origin: http://www.stackoverflow.com and is appended by a standards-following browser without user interaction.
You can read more on the specification in MozillaWiki's Security section, WHATWG and html5.org. It is implemented by (that I know of) FireFox and Google Chrome. I don't believe it is part of W3C yet. Further do not assume the origin header is true, as it can be set manually by modified borwsers or other software.
这篇关于CORS和Origin头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
