当我们需要调用 Ajax 请求时,我们会这样做:
if(typeof XMLHttpRequest !== 'undefined') xhr = new XMLHttpRequest();
else
{
var versions = ["Microsoft.XmlHttp",
"MSXML2.XmlHttp",
"MSXML2.XmlHttp.3.0",
"MSXML2.XmlHttp.4.0",
"MSXML2.XmlHttp.5.0"
];
我已经知道使用 XMLHttpRequest-2
,我们可以发出跨源请求并且添加了 ORIGIN header 。
问题:
什么时候添加此 header ?
- 是否在浏览器(支持 CORS)执行请求时添加? (跨域还是非跨域?)
- 还是当浏览器“看到”请求目标来源与当前来源不同时自动添加...
我的意思是:He** 粗线是什么意思?
Cross-origin HTTP requests have an Origin header. This header provides the server with the request’s origin. This header is protected by the browser and cannot be changed from application code. In essence, it is the network equivalent of the origin property found on message events used in Cross Document Messaging. The origin header differs from the older referer [sic] header in that the referer is a complete URL including the path. Because the path may contain sensitive information, the referer is sometimes not sent by browsers attempting to protect user privacy. However, the browser will always send the required Origin headers when necessary.
最佳答案
Origin header
When this header is added ?
在 header 阶段,发送文档正文之前(打开
之后,发送
之前)。
Is it added when a browser (that support CORS) is doing a request ? ( cross domain or non-cross-domain?)
当来源与创建 XMLHttpRequest 的页面不匹配时添加,但也可以在同源请求中发送。
Or does it added automatically when the browser "sees" that the request target origin is different from the current origin...
是的。
However, the browser will always send the required Origin headers when necessary.
这是 XMLHttpRequest 规范的一部分;如果您正在发出跨域请求,则会在请求 header 中发送一个额外的 header 。这个标题是例如来源:http://www.stackoverflow.com
并由符合标准的浏览器附加,无需用户交互。
您可以在 MozillaWiki's Security section 中阅读有关规范的更多信息, WHATWG和 html5.org .它由(据我所知)FireFox 和 Google Chrome 实现。我不认为它是 W3C 的一部分。此外,不要假设原始 header 是真实的,因为它可以由修改后的浏览器或其他软件手动设置。
关于javascript - CORS 和 Origin header ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15988323/