为什么不能使用setRequestHeader设置xmlhttprequest时设置cookie和set-cookie头? [英] Why cookies and set-cookie headers can't be set while making xmlhttprequest using setRequestHeader?
问题描述
我想知道为什么不能使用setRequestHeader设置 cookie 标头。有什么特别的原因或只是他们是由浏览器本身添加,所以这些标题被禁用?是否有安全性问题?
I was wondering why one cannot set cookie headers using setRequestHeader. Is there any specific reason or just that they are added by browser itself, so these headers are disabled? Is there any security issue?
- 编辑
node.js并使用 xmlhttprequest 模块。以下是测试代码:
I am working on node.js and used the xmlhttprequest module. Following is the test code:
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.withCredentials = true;
xhr.setRequestHeader('Cookie', "key=value");
xhr.send(null);
这里我需要设置cookie-header为 node.js'xmlhttprequest 不显式添加cookie头(如浏览器)。尝试这样做时, xmlhttprequest 会显示错误拒绝设置不安全标头。
Here I need to set cookie-header as node.js' xmlhttprequest do not explicitly adds cookie-header(as browsers do). When trying to do so, xmlhttprequest gives error "Refused to set unsafe header".
虽然我已经找到了一个补丁,并能成功地发送cookie头。但是想知道为什么它被禁用设置cookie头。在我读过的地方,发现它是数据完整性和安全性所必需的,但在这种情况下可以破坏什么安全性,没有提到在哪里。我想评估这个数据完整性问题是否适用于node.js应用程序,以及如果我使用我的补丁。
Though I have found a patch and successfully able to send the cookie-header. But was wondering why it was disabled to set cookie-header? Where-ever I read, found that it is required for data-integrity and security, but what security can be breached in this case, is mentioned no where. I want to evaluate if, this data-integrity problem is valid for node.js application as well if I go with my patch.
推荐答案
p>我确定您已经浏览过工作草稿,并找到
I am sure you would have gone through the working draft and found
上述标题由用户代理控制,让它控制
这些方面的传输。
The above headers are controlled by the user agent to let it control those aspects of transport.
首先我们需要了解,这些是作为不同浏览器之间的功能互操作性的标准。它不是强制的浏览器,因此浏览器有不同的级别遵守这个标准的原因不同。
Firstly we need to understand, These are standards working as guidelines for interoperability of functions between different browsers. It's not mandated for the browser and hence browsers do have different level of adherence to this standard for different reasons.
其次,从技术上讲,您可以模拟用户代理,将您的程序视为浏览器,并可以很好地根据提到的标准设置这些值。
Secondly, Technically speaking you can emulate a user agent , treat your program as the browser and can very well set those values as per mentioned standards.
最后,禁止覆盖标题或为某些字段设置标题,例如 Content-Length code> Cookie ethos 安全设计方法。这是为了阻止或至少尝试阻止 HTTP请求走私。
Finally, the intent of disallowing overwriting of Headers or setting up headers for certain fields like Content-Length , Cookie ethos the secure design approach. It is to discourage or at least try to discourage HTTP Request smuggling.
这篇关于为什么不能使用setRequestHeader设置xmlhttprequest时设置cookie和set-cookie头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
