简体繁体 English

在非ajax帖子上添加自定义标头

[英]Add custom header on non-ajax post

原文 2015-04-21 15:40:55 1 1 html/ forms/ post/ header/ html-post

AFAIK it's not possible to set a header field when a form is submited, it can only be done in ajax requests AFAIK在提交表单时无法设置标题字段，只能在ajax请求中完成

This questions also points that it's not possible: 这个问题也指出这是不可能的：

But reading Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet it's mentioned that: 但阅读跨站请求伪造（CSRF）预防备忘单时，它提到：

Encrypted Token Pattern 加密令牌模式

Overview 概观

The Encrypted Token Pattern leverages an encryption, rather than comparison, method of Token-validation. 加密令牌模式利用加密而不是比较令牌验证方法。 After successful authentication, the server generates a unique Token comprised of the user's ID, a timestamp value and a nonce, using a unique key available only on the server. 身份验证成功后，服务器将使用仅在服务器上可用的唯一密钥生成由用户ID，时间戳值和随机数组成的唯一令牌。 This Token is returned to the client and embedded in a hidden field. 此令牌返回到客户端并嵌入到隐藏字段中。 Subsequent AJAX requests include this Token in the request-header, in a similar manner to the Double-Submit pattern. 随后的AJAX请求在请求标头中包含此标记，其方式与Double-Submit模式类似。 Non-AJAX form-based requests will implicitly persist the Token in its hidden field, although I recommend persisting this data in a custom HTTP header in such cases . 非AJAX基于表单的请求将隐式地将令牌保留在其隐藏字段中，尽管我建议在这种情况下将此数据保存在自定义HTTP头中 。 On receipt of this request, the server reads and decrypts the Token value with the same key used to create the Token. 收到此请求后，服务器使用与创建令牌相同的密钥读取和解密令牌值。

This sentence confuses me: 这句话让我困惑：

I recommend persisting this data in a custom HTTP header in such cases 我建议在这种情况下将此数据保存在自定义HTTP标头中

Could anyone shed some light on it? 任何人都能对此有所了解吗？

1 个解决方案

Yes, the sentence implies that the POST operation is invoked by a custom JavaScript handler in order to inject the AUTH header. 是的，该句子意味着POST操作由自定义JavaScript处理程序调用，以便注入AUTH标头。 I've corrected the OWASP description to reflect this oversight. 我已经纠正了OWASP描述以反映这种疏忽。