欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

内网里使用ajax通过代理访问外网 AjaxSecurity 

程序员文章站 2024-02-21 12:50:12
...

 

     if(options.proxy){
	xmlHttp.withCredentials =true;
	xmlHttp.setRequestHeader("Proxy-Authorization","Basic bGlhbmcud2FuZzo4ZCFnV3hMMA==");
     }

 需要注意的是requestHeader的value是 "Basic " +Base64.encode(username:password);

但不知道为什么需要

xmlHttp.withCredentials =true;

 

而且根据w3c的说法

 

For security reasons, these steps should be terminated if header is an ASCII case-insensitive match for one of the following headers:
Accept-Charset 
Accept-Encoding 
Connection 
Content-Length 
Cookie 
Cookie2 
Content-Transfer-Encoding 
Date 
Expect 
Host 
Keep-Alive 
Referer 
TE 
Trailer 
Transfer-Encoding 
Upgrade 
User-Agent 
Via 

… or if the start of header is an ASCII case-insensitive match for Proxy- or Sec- (including when header is just Proxy- or Sec-).

Note: The above headers are not allowed to be set as they are better controlled by the user agent as it knows best what value they should have. Header names starting with Sec- are not allowed to be set to allow new headers to be minted in the future that are guaranteed not to come from XMLHttpRequest. (Older clients would however still be vulnerable as they allow such headers to be set.

 但是我这样设置后确实好使了,407就不出现了,不知道该信谁的。


btw:为什么我的Ajax请求返回的status永远是0,返回值“”/null,而我把xmlhttp.url对应的值复制到地址栏回车就好使,能返回。高手解答下

相关标签: Ajax Security