問(wèn)題描述

我想知道為什么不能使用 setRequestHeader 設(shè)置 cookie 標(biāo)頭.是否有任何特定原因，或者僅僅是瀏覽器本身添加了它們，所以這些標(biāo)頭被禁用了?有什么安全問(wèn)題嗎?

I was wondering why one cannot set cookie headers using setRequestHeader. Is there any specific reason or just that they are added by browser itself, so these headers are disabled? Is there any security issue?

--編輯

我正在研究 node.js 并使用了 xmlhttprequest 模塊.以下是測(cè)試代碼:

I am working on node.js and used the xmlhttprequest module. Following is the test code:

var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.withCredentials = true;
xhr.setRequestHeader('Cookie', "key=value");
xhr.send(null);

這里我需要將 cookie-header 設(shè)置為 node.js' xmlhttprequest 不要顯式添加 cookie-header(就像瀏覽器那樣).嘗試這樣做時(shí)，xmlhttprequest 會(huì)給出錯(cuò)誤Refused to set unsafe header".

Here I need to set cookie-header as node.js' xmlhttprequest do not explicitly adds cookie-header(as browsers do). When trying to do so, xmlhttprequest gives error "Refused to set unsafe header".

雖然我找到了一個(gè)補(bǔ)丁并且能夠成功發(fā)送 cookie-header.但是想知道為什么禁用設(shè)置 cookie-header ?無(wú)論我在哪里閱讀，都發(fā)現(xiàn)它是數(shù)據(jù)完整性和安全性所必需的，但是在這種情況下可以破壞哪些安全性，卻沒(méi)有提到任何地方.我想評(píng)估這個(gè)數(shù)據(jù)完整性問(wèn)題是否也適用于 node.js 應(yīng)用程序，如果我使用我的補(bǔ)丁.

Though I have found a patch and successfully able to send the cookie-header. But was wondering why it was disabled to set cookie-header? Where-ever I read, found that it is required for data-integrity and security, but what security can be breached in this case, is mentioned no where. I want to evaluate if, this data-integrity problem is valid for node.js application as well if I go with my patch.

推薦答案

我相信你會(huì)經(jīng)歷 工作草案 找到了

I am sure you would have gone through the working draft and found

上面的 headers 是由用戶代理控制的，讓它控制運(yùn)輸?shù)哪切┓矫?

The above headers are controlled by the user agent to let it control those aspects of transport.

首先我們需要了解，這些標(biāo)準(zhǔn)作為不同瀏覽器之間功能互操作性的指南.它不是針對(duì)瀏覽器的強(qiáng)制要求，因此瀏覽器出于不同的原因?qū)@個(gè)標(biāo)準(zhǔn)有不同程度的遵守.

Firstly we need to understand, These are standards working as guidelines for interoperability of functions between different browsers. It's not mandated for the browser and hence browsers do have different level of adherence to this standard for different reasons.

其次，從技術(shù)上講，您可以模擬用戶代理，將您的程序視為瀏覽器，并且可以根據(jù)上述標(biāo)準(zhǔn)很好地設(shè)置這些值.

Secondly, Technically speaking you can emulate a user agent , treat your program as the browser and can very well set those values as per mentioned standards.

最后，禁止覆蓋標(biāo)頭或?yàn)槟承┳侄?如 Content-Length 、Cookie 設(shè)置標(biāo)頭的意圖是安全設(shè)計(jì)方法.這是為了阻止或至少試圖阻止 HTTP 請(qǐng)求走私.

Finally, the intent of disallowing overwriting of Headers or setting up headers for certain fields like Content-Length , Cookie ethos the secure design approach. It is to discourage or at least try to discourage HTTP Request smuggling.

這篇關(guān)于為什么在使用 setRequestHeader 制作 xmlhttprequest 時(shí)無(wú)法設(shè)置 cookie 和 set-cookie 標(biāo)頭?的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！