为什么在使用 setRequestHeader 制作 xmlhttprequest 时无法设置 cookie 和 set

问题描述

我想知道为什么不能使用 setRequestHeader 设置 cookie 标头.是否有任何特定原因，或者仅仅是浏览器本身添加了它们，所以这些标头被禁用了?有什么安全问题吗?

I was wondering why one cannot set cookie headers using setRequestHeader. Is there any specific reason or just that they are added by browser itself, so these headers are disabled? Is there any security issue?

--编辑

我正在研究 node.js 并使用了 xmlhttprequest 模块.以下是测试代码:

I am working on node.js and used the xmlhttprequest module. Following is the test code:

var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.withCredentials = true;
xhr.setRequestHeader('Cookie', "key=value");
xhr.send(null);

这里我需要将 cookie-header 设置为 node.js' xmlhttprequest 不要显式添加 cookie-header(就像浏览器那样).尝试这样做时，xmlhttprequest 会给出错误Refused to set unsafe header".

Here I need to set cookie-header as node.js' xmlhttprequest do not explicitly adds cookie-header(as browsers do). When trying to do so, xmlhttprequest gives error "Refused to set unsafe header".

虽然我找到了一个补丁并且能够成功发送 cookie-header.但是想知道为什么禁用设置 cookie-header ?无论我在哪里阅读，都发现它是数据完整性和安全性所必需的，但是在这种情况下可以破坏哪些安全性，却没有提到任何地方.我想评估这个数据完整性问题是否也适用于 node.js 应用程序，如果我使用我的补丁.

Though I have found a patch and successfully able to send the cookie-header. But was wondering why it was disabled to set cookie-header? Where-ever I read, found that it is required for data-integrity and security, but what security can be breached in this case, is mentioned no where. I want to evaluate if, this data-integrity problem is valid for node.js application as well if I go with my patch.

推荐答案

我相信你会经历 工作草案 找到了

I am sure you would have gone through the working draft and found

上面的 headers 是由用户代理控制的，让它控制运输的那些方面.

The above headers are controlled by the user agent to let it control those aspects of transport.

首先我们需要了解，这些标准作为不同浏览器之间功能互操作性的指南.它不是针对浏览器的强制要求，因此浏览器出于不同的原因对这个标准有不同程度的遵守.

Firstly we need to understand, These are standards working as guidelines for interoperability of functions between different browsers. It's not mandated for the browser and hence browsers do have different level of adherence to this standard for different reasons.

其次，从技术上讲，您可以模拟用户代理，将您的程序视为浏览器，并且可以根据上述标准很好地设置这些值.

Secondly, Technically speaking you can emulate a user agent , treat your program as the browser and can very well set those values as per mentioned standards.

最后，禁止覆盖标头或为某些字段(如 Content-Length 、Cookie 设置标头的意图是安全设计方法.这是为了阻止或至少试图阻止 HTTP 请求走私.

Finally, the intent of disallowing overwriting of Headers or setting up headers for certain fields like Content-Length , Cookie ethos the secure design approach. It is to discourage or at least try to discourage HTTP Request smuggling.

这篇关于为什么在使用 setRequestHeader 制作 xmlhttprequest 时无法设置 cookie 和 set-cookie 标头?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！