堆栈内存溢出
  简体   繁体   English

在XMLHttpRequest中设置Authorization标头会更改HTTP谓词

[英]Setting Authorization header in XMLHttpRequest changes HTTP verb

 原文  2014-03-14 16:40:15       javascript/ html/ firefox

问题描述

Today I found a strange behavior of XMLHttpRequest. 今天我发现了XMLHttpRequest的奇怪行为。 When I am calling a GET service I found that if I do not set the Authorization header the request from firefox is same. 当我调用GET服务时,我发现如果我没有设置Authorization标头,那么来自firefox的请求是相同的。 But if I add the "Authorization" header firefox first send a request with "OPTIONS" then it sends a "GET" request. 但是如果我添加“Authorization”标题,firefox首先发送带有“OPTIONS”的请求,然后它发送一个“GET”请求。

I know that the verb "OPTIONS" must be handled in server side but I was just wondering why XMLHttpRequest behaves like this. 我知道动词“OPTIONS”必须在服务器端处理,但我只是想知道为什么XMLHttpRequest表现得像这样。 Though it is a cross domain request, why browser first send the "OPTIONS" request. 虽然它是跨域请求,但为什么浏览器首先发送“OPTIONS”请求。 Why adding a "Authorization" header changes the behavior. 为什么添加“授权”标题会改变行为。

Here is my Javascript code and Fidler Inspector report. 这是我的Javascript代码和Fidler Inspector报告。 

    var  xmlhttp = new XMLHttpRequest();
    var url = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
    xmlhttp.open('GET',url,true);
    xmlhttp.setRequestHeader("Authorization", "xxxxxxxxxxxxxxxxxxx");
    xmlhttp.send(null);
    xmlhttp.onreadystatechange = function() {
            alert("OnReadystatechange + " + xmlhttp.readyState + " " + xmlhttp.status);
           if (xmlhttp.readyState == 4) {
              if ( xmlhttp.status == 200) {

                   }
                   else {

                   }
             }
             else
                   alert("Error ->" + xmlhttp.responseText);
          }

And the fiddler response with Authorization Header 和授权标题的提琴响应

在此输入图像描述

在此输入图像描述

But when I do not add the Authorization header the browser directly sends the GET request no OPTIONS request. 但是当我没有添加Authorization标头时,浏览器直接发送GET请求而没有OPTIONS请求。

在此输入图像描述

1 个解决方案

解决方案1
 12 已采纳  2014-03-14 17:30:55

The HTTP OPTIONS request is used to "preflight" the cross-origin GET request, before actually sending it. HTTP OPTIONS请求用于在实际发送之前“预检”跨源GET请求。

Unlike simple requests, "preflighted" requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send. 与简单请求不同,“预检”请求首先通过OPTIONS方法向另一个域上的资源发送HTTP请求,以确定实际请求是否可安全发送。 Cross-site requests are preflighted like this since they may have implications to user data. 跨站点请求是这样预检的,因为它们可能对用户数据有影响。 In particular, a request is preflighted if: 特别是,如果出现以下情况,请求会被预检:

  • It uses methods other than GET, HEAD or POST. 它使用GET,HEAD或POST以外的方法。 Also, if POST is used to send request data with a Content-Type other than 此外,如果使用POST来发送具有除以外的Content-Type的请求数据
    application/x-www-form-urlencoded, multipart/form-data, or application / x-www-form-urlencoded,multipart / form-data,或
    text/plain, eg if the POST request sends an XML payload to the text / plain,例如,如果POST请求将XML有效负载发送到
    server using application/xml or text/xml, then the request is 服务器使用application / xml或text / xml,然后请求是
    preflighted. 预检。
  • It sets any header that is not considered simple. 它设置任何不简单的标头。 A header is said to be a simple header if the header field name is an ASCII case-insensitive match for Accept , Accept-Language , or Content-Language or if it is an ASCII case-insensitive match for Content-Type and the header field value media type (excluding parameters) is an ASCII case-insensitive match for application/x-www-form-urlencoded , multipart/form-data , or text/plain . 如果头字段名称是AcceptAccept-LanguageContent-Language的ASCII不区分大小写的匹配,或者如果它是Content-Type和头字段的ASCII不区分大小写的匹配,则称头是简单头值媒体类型(不包括参数)是对application / x-www-form-urlencodedmultipart / form-datatext / plain的ASCII不区分大小写的匹配。

So in your case, setting the Authorization header is causing the request to be preflighted, hence the OPTIONS request. 因此,在您的情况下,设置Authorization标头会导致请求被预检,因此OPTIONS请求。

More info here 更多信息在这里

Spec on Cross-Origin Request with Preflight 具有预检的交叉原始请求规范

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 带有 HTTP 的 Chrome 扩展中的 XMLHttpRequest 授权继续在常规页面上发送授权 Header - XMLHttpRequest in Chrome Extension with HTTP Authorization continues to send Authorization Header on regular pages Angularjs oauth错误:无法对'XMLHttpRequest'执行'setRequestHeader':'Authorization:Bearer'不是有效的HTTP标头字段名称 - Angularjs oauth Error: Failed to execute 'setRequestHeader' on 'XMLHttpRequest': 'Authorization: Bearer ' is not a valid HTTP header field name 将 API 密钥设置为 XMLHttpRequest 的标头 - Setting an API key as a header for a XMLHttpRequest HTTP 授权请求 header - HTTP request with authorization header 基本的HTTP授权标头 - Basic HTTP authorization header xmlHttpRequest是否可以在Firefox中访问Authorization标头 - Can xmlHttpRequest access the Authorization header in Firefox 如何使用XMLHttpRequest标头绕过授权? - How to bypass authorization using XMLHttpRequest header? 在Http Post上添加授权标头 - Add Authorization Header on Http Post 读取 Http 请求授权 Header - Read Http Request Authorization Header 如何在xmlHTTPRequest之前将cookie值插入到Authorization标头中? - How to insert cookie value into Authorization header before xmlHTTPRequest?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM