X-Requested-With标题有什么意义? [英] What's the point of the X-Requested-With header?
问题描述
JQuery和其他框架添加以下标题:
JQuery and other frameworks add the following header:
X-Requested-With:XMLHttpRequest
X-Requested-With: XMLHttpRequest
为什么需要这个?为什么服务器想要以不同于正常请求的方式处理AJAX请求?
Why is this needed? Why would a server want to treat AJAX requests differently than normal requests?
更新:我刚刚找到了使用此标头的真实示例: https://core.spreedly.com/manual/payment-methods/adding -with-JS 。如果在没有AJAX的情况下请求支付处理器,它会在完成后重定向回原始网站。当使用AJAX请求时,不会进行重定向。
UPDATE: I just found a real-life example using this header: https://core.spreedly.com/manual/payment-methods/adding-with-js. If the payment processor is requested without AJAX, it redirects back to the original website when it's done. When it is requested with AJAX, no redirection is done.
推荐答案
一个很好的理由是安全性 - 这可以防止 CSRF 攻击,因为未经同意,此标头无法添加到AJAX请求跨域服务器通过 CORS 。
A good reason is for security - this can prevent CSRF attacks because this header cannot be added to the AJAX request cross domain without the consent of the server via CORS.
跨域只允许以下标题:
- 接受
- 接受语言
- 内容 - 语言
- 最后事件ID
- 内容类型
- Accept
- Accept-Language
- Content-Language
- Last-Event-ID
- Content-Type
任何其他人导致在CORS支持的浏览器中发出飞行前请求。
any others cause a "pre-flight" request to be issued in CORS supported browsers.
如果没有CORS,则无法将 X-Requested-With 添加到跨域XHR请求。
Without CORS it is not possible to add X-Requested-With to a cross domain XHR request.
如果服务器是checki如果此标头存在,则它知道请求未从攻击者的域尝试使用JavaScript代表用户发出请求。这还会检查请求是否未从常规HTML表单发布,如果不使用令牌,则很难验证它是否为跨域。 (然而,检查来源标题可以是支持的浏览器中的一个选项,虽然您会让旧浏览器容易受到攻击 。)
If the server is checking that this header is present, it knows that the request didn't initiate from an attacker's domain attempting to make a request on behalf of the user with JavaScript. This also checks that the request wasn't POSTed from a regular HTML form, of which it is harder to verify it is not cross domain without the use of tokens. (However, checking the Origin header could be an option in supported browsers, although you will leave old browsers vulnerable.)
您可能希望将其与令牌结合使用,因为在OSX上的Safari上运行的Flash 如果有重定向步骤,则可以设置此标头。它似乎它也适用于Chrome ,但现在已经过修复。 此处提供更多详细信息,包括受影响的不同版本。
You may wish to combine this with a token, because Flash running on Safari on OSX can set this header if there's a redirect step. It appears it also worked on Chrome, but is now remediated. More details here including different versions affected.
OWASP推介将它与Origin和Referer检查结合起来:
这个防御技术在
Robust的4.3节中有具体讨论跨站请求伪造的防御。然而,绕过
这个使用Flash的防御最早记录在2008年,并且最近由Mathias Karlsson在2015年再次作为
来利用Vimeo中的CSRF漏洞。
但是,我们认为Flash攻击无法欺骗Origin或
Referer标头,因此通过检查它们我们相信这个
组合的检查应该可以阻止Flash绕过CSRF攻击。 (注意:
如果有人可以确认或反驳这一信念,请告诉我们,以便我们
可以更新这篇文章)
This defense technique is specifically discussed in section 4.3 of Robust Defenses for Cross-Site Request Forgery. However, bypasses of this defense using Flash were documented as early as 2008 and again as recently as 2015 by Mathias Karlsson to exploit a CSRF flaw in Vimeo. But, we believe that the Flash attack can't spoof the Origin or Referer headers so by checking both of them we believe this combination of checks should prevent Flash bypass CSRF attacks. (NOTE: If anyone can confirm or refute this belief, please let us know so we can update this article)
但是,由于已经讨论过的原因,检查Origin可能很棘手。
However, for the reasons already discussed checking Origin can be tricky.
写一个更深入的博客文章 CORS,CSRF和X-Requested-With here 。
Written a more in depth blog post on CORS, CSRF and X-Requested-With here.
这篇关于X-Requested-With标题有什么意义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
