ajax可以伪造的头部信息

前端之家收集整理的这篇文章主要介绍了ajax可以伪造的头部信息前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

ajax可以伪造部分header头信息,但有部分http header并不能被模拟,会被忽略或在浏览器发送请求时覆盖掉.

如下文,另外 refer是会被浏览器覆盖掉的.

http://www.w3school.com.cn/xmldom/dom_xmlserializer.asp#footer

有些请求头部由 XMLHttpRequest 自动设置而不是由这个方法设置,以符合 HTTP 协议。这包括如下和代理相关的头部:

  • Host
  • Connection
  • Keep-Alive
  • Accept-charset
  • Accept-Encoding
  • If-Modified-Since
  • If-None-Match
  • If-Range
  • Range

http://www.w3.org/TR/2006/WD-XMLHttpRequest-20060405/#dfn-setrequestheader

User agentsmustnot set any headers other than the headers set by the author using this method,with the following exceptions:

  • UAsmustset theHostheader appropriately (seeopen()) and not allow it to be overridden.
  • UAsmustset theAuthorizationheader according to the values passed to theopen()method (butmustallow calls tosetRequestHeader()to append values to it).
  • UAsmayset theAccept-CharsetandAccept-Encodingheaders andmust notallow them to be overridden.
  • UAsmayset theIf-Modified-Since,If-None-Match,If-Range,andRangeheaders if the resource is cached and has not expired (as allowed by HTTP),andmust notallow those headers to be overridden.
  • UAsmustset theConnectionandKeep-Aliveheaders as described by the HTTP specification,andmust notallow those headers to be overridden.
  • UAsshouldset the proxy-related headers according to proxy settings of the environment,andmust notallow those headers to be overridden.
  • UAsmaygive theUser-Agentheader an initial value,butmustallow authors to append values to it.
  • UAsshouldsetCookieandCookie2headers appropriately for the given URI and given the user's current cookies,andmustallow authors to append values to these headers.

猜你在找的Ajax相关文章