I am trying to implement simple xhr abstraction, and am getting this warning when trying to set the headers for a POST. I think it might have something to do with setting the headers in a separate js file, because when i set them in the <script> tag in the .html file, it worked fine. The POST request is working fine, but I get this warning, and am curious why. I get this warning for both content-length and connection headers, but only in WebKit browsers (Chrome 5 beta and Safari 4). In Firefox, I don't get any warnings, the Content-Length header is set to the correct value, but the Connection is set to keep-alive instead of close, which makes me think that it is also ignoring my setRequestHeader calls and generating it's own. I have not tried this code in IE. Here is the markup & code:

我正在尝试实现简单的xhr抽象,并在尝试设置POST的标题时得到这个警告。我认为这可能与在单独的js文件中设置头文件有关,因为当我在.html文件中的

test.html:

test.html:

<!DOCTYPE html>
<html>
    <head>
        <script src="jsfile.js"></script>
        <script>
            var request = new Xhr('POST', 'script.php', true, 'data=somedata',  function(data) { 
                console.log(data.text); 
            });
        </script>
    </head>
    <body>
    </body>
</html>

jsfile.js:

jsfile.js:

function Xhr(method, url, async, data, callback) {
    var x;
    if(window.XMLHttpRequest) {
        x = new XMLHttpRequest();

        x.open(method, url, async);

        x.onreadystatechange = function() {
            if(x.readyState === 4) {
                if(x.status === 200) {
                    var data = {
                        text: x.responseText,
                        xml: x.responseXML
                    };
                    callback.call(this, data);
                }
            }
        }

        if(method.toLowerCase() === "post") {
            x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
            x.setRequestHeader("Content-Length", data.length);
            x.setRequestHeader("Connection", "close");
        }

        x.send(data);
    } else {
        // ... implement IE code here ...
    }
    return x;
}

1 个解决方案

#1


63

it is also ignoring my setRequestHeader calls and generating its own

它也忽略了我的setRequestHeader的调用并生成自己的调用

Yes, the standard says it must:

是的,标准规定必须:

For security reasons, these steps should be terminated if header is [...]

出于安全原因,如果header是[…],则应该终止这些步骤。

  • Connection
  • 连接
  • Content-Length
  • 内容长度

Messing around with those could expose various request smuggling attacks, so the browser always uses its own values. There's no need or reason to try to set the request length, as the browser can do that accurately from the length of data you pass to send().

处理这些可能会暴露各种请求走私攻击,所以浏览器总是使用自己的值。没有必要或理由尝试设置请求长度,因为浏览器可以从传递给send()的数据长度中精确地设置请求长度。

更多相关文章

  1. JQuery纯前端导入Excel文件,兼容IE10及IE9版本以下浏览器处理方法
  2. 删除复制+粘贴的富文本格式? (跨浏览器)
  3. 如何执行浏览器内对比扩展/规范化?
  4. 浏览器环境下JavaScript脚本加载与执行探析之动态脚本与Ajax脚本
  5. js获取点击事件的位置,兼容主流浏览器
  6. 如何测试潜在的“浏览器崩溃”JavaScript?
  7. 为什么jquery click事件在plunker中工作但在任何浏览器中都没有
  8. 浏览器独立文件io在javascript中
  9. 如何访问远程节点。浏览器中的js应用程序,而不是本地主机

随机推荐

  1. Android Activity从创建到显示流程
  2. Android 如何破解兼容性困局
  3. 学个明白--Android世界的坐标系
  4. Android(安卓)OKHttp系列2-RetryAndFollo
  5. 关于greenDao函数报错
  6. Android—自制Android闹钟3步即可!(2020-6
  7. android 获取实时麦克风声音大小
  8. 《Android第一行代码》first reading 十
  9. Android(安卓)7.0 系统解决拍照的问题 ex
  10. Android Broadcast 用法简单讨论