堆栈内存溢出
  简体   繁体   English

如何在 Reitit 中将 origin header 参数设置为强制性参数?

[英]How can I set the origin header param as mandatory in Reitit?

 原文  2020-10-09 19:20:52       clojure/ reitit

问题描述

I've a Clojure application with Pedestal & Reitit and I need the origin header param to be mandatory.我有一个带有 Pedestal & Reitit 的 Clojure 应用程序,我需要 origin header 参数是强制性的。

;; deps
[io.pedestal/pedestal.service "0.5.5"]
[pedestal/pedestal.jetty "0.5.5"]
[reitit-pedestal "0.5.5"]
[reitit "0.5.5"]

But if I put in my schema, the request throws an exception.但是如果我输入我的模式,请求就会抛出异常。

(s/defschema my-request
  {:header {:origin s/Str}})

["/my-route"
    {:get  {:parameters  my-request
            :handler     my-handler}}]

Exception:例外:

:errors {:origin missing-required-key} :errors {:origin missing-required-key}

{
  "message": "Bad Request",
  "exception": "clojure.lang.ExceptionInfo: clojure.lang.ExceptionInfo in Interceptor :reitit.http.coercion/coerce-request - 
  Request coercion failed: #reitit.coercion.CoercionError{:schema {:origin java.lang.String, Keyword Any}, :errors {:origin missing-required-key}}

Request要求

curl -X GET "http://localhost:3000/my-route -H  "accept: application/json" "origin: TEST" -H  "user-agent: test"

The CURL request works, the issue is only in Swagger UI with GET method. CURL 请求有效,问题仅出现在使用 GET 方法的 Swagger UI 中。

It seems that Swagger for get methods doesn't send the origin header param to avoid cors' attacks. get 方法的 Swagger 似乎没有发送原始 header 参数以避免 cors 的攻击。

Can I workround this?我可以解决这个问题吗?

Thanks for your help谢谢你的帮助

1 个解决方案

解决方案1
 0 已采纳  2020-10-09 20:55:53

After I discussed with a colleague he showed me that:在我与一位同事讨论后,他向我展示了:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

The Origin request header indicates where a fetch originates from. Origin 请求 header 指示提取的来源。 It doesn't include any path information, but only the server name.它不包含任何路径信息,仅包含服务器名称。 It is sent with CORS requests, as well as with POST requests.它与 CORS 请求以及 POST 请求一起发送。 It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path.它类似于Referer header,但与这个header不同的是,它没有公开整个路径。

And I found this我发现了这个

https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

A forbidden header name is the name of any HTTP header that cannot be modified programmatically;禁止的 header 名称是不能以编程方式修改的任何 HTTP header 的名称; specifically, an HTTP request header name (in contrast with a Forbidden response header name).具体来说,HTTP 请求 header 名称(与禁止响应 header 名称相反)。

Guess what, origin is one of them.你猜怎么着,起源就是其中之一。

Have this too.也有这个。 https://bugzilla.mozilla.org/show_bug.cgi?id=1508661 https://bugzilla.mozilla.org/show_bug.cgi?id=1508661

origin header should not be set for GET and HEAD requests 2 years ago(2018-11-20) 2 年前(2018-11-20)不应为 GET 和 HEAD 请求设置 origin header

I tried and inspected my application request in firefox and chrome, they behaviour equal of links.我在 firefox 和 chrome 中尝试并检查了我的应用程序请求,它们的行为等同于链接。

I suppose that's it.我想就是这样。 Thanks谢谢

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从 Reitit 后端路由中提取路径参数 - How to extract a path-param from a Reitit backend end route 您如何使用 Reitit 在 Clojure 中设置中间件以启用主体参数的强制转换? - How do you set up middleware in Clojure using Reitit to enable coercion of body params? 重新投资戒指。 Luminus 上仅在一组路由中进行身份验证和授权 - Reitit ring. Authentication and authorization in only one set of routes on Luminus 如何在特定的启动路由上应用环网防伪? - How to apply ring-anti-forgery on specific reitit routes? 在 Clojure 中下载文件时,如何设置 User-Agent header? - How can I set the User-Agent header when downloading a file in Clojure? 如何对一组clojure地图进行排序? - How can I sort a clojure set of maps? 如何从defrecord创建集合? - How can I create a set from a defrecord? 如何从Java设置SELinux权限? - How can I set SELinux permissions from Java? 如何从Clojure中获取元素? - How I can get element from set in clojure? 您可以在标题中设置发布请求的大小限制吗? - Can you set the size limit of a post request in header?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM