拒绝在 AngularJS 中设置不安全 header "cookie" 和 net::ERR_INSECURE_RESPONSE
Refused to set unsafe header "cookie" and net::ERR_INSECURE_RESPONSE in AngularJS
我正在尝试在 Wildfly 服务器上发出 REST 请求。首先,我必须登录到旧应用程序并获取 cookie。该 cookie 必须在较新的应用程序中使用
发出 REST 请求。新应用程序是来自真实现有应用程序的一些模板。我在 REST 请求的 header 中尝试了一些选项,例如设置属性 withCredentials、Access-Control-Allow-Credentials、token、crossDomain,如下面的函数 getAllEntities 所示。
REST 请求经过测试,它们在 Firefox 浏览器上与 RestClient 一起工作正常,如下所示。
我不知道如何:
插入我从之前的申请中获得的 cookie
移除token(看来这是不可能的)
解决标题中写的这两个错误
这是 RestClient 中请求的样子:
Method: GET
URL: https://xx.xx.xx.xx:8443/api/codes
Content-Type: application/json
Accept: application/json
Cookie: code_system_frontend=bvkkvbcp24igdgja4h5hht13p4; code=ae8be9267e8dfea86a8f54f6bd980733
这是 RestClient 中响应的样子:
Status Code: 200 OK
Access-Control-Allow-Headers: Content-Type, Content-Disposition, Accept, responseType, X-MAC, X-TIME, Cookie
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Type, Content-Disposition, Accept
Connection: keep-alive
Content-Type: application/json
Date: Tue, 26 Jul 2016 15:22:00 GMT
Server: WildFly/9
Transfer-Encoding: chunked
access-control-allow-credentials: true
x-powered-by: Undertow/1
和典型的 JSON 响应 body:
[
{
"code": 1,
"codename": "Demo"
},
{
"code": 2,
"codename": "Gmx"
}
//AND SO ON
]
这是 Angularjs 中的代码:
function getAllEntities(entityName, addToCache) {
config = {
headers: {
'cookie':'code_system_frontend=bvkkvbcp24igdgja4h5hht13p4;code=ae8be9267e8dfea86a8f54f6bd980733',
'Content-Type': 'application/json',
'Accept': 'application/json',
'withCredentials':'true',
//'Access-Control-Allow-Credentials': 'true',
//'X-API-TOKEN': undefined,
//'token':undefined,
//crossDomain: true
},
data: ''
};
return $http.get(endPoints.api + entityName, config)
.then(getAllEntitiesComplete)
.catch(function (message) {
exception.catcher('XHR Failed for getAllEntities for entity ' + entityName)(message);
return $q.reject(message);
logger.info('Message ' + message);
});
function getAllEntitiesComplete(data, status, headers, config) {
var entities = data.data;
if (addToCache) {
service.cachedLookups[entityName] = entities;
service[entityName + 's'] = entities;
}
return entities;
}
}
在 Firebug 我得到:
在Firebug中请求Header:
Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Host: XX.XX.XX.XX:8443
Origin http://admin.dev.xxxxxxxx.xxx
Referer http://admin.dev.xxxxxxxx.xxx/xx/codes
User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
token fake token for anonymous user
withCredentials true
我也在 Firebug 中收到警告:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at https://xx.xx.xx.xx:8443/xxxxxxxx/api/code. (Reason:
CORS header 'Access-Control-Allow-Origin' does not match '*').
由于我的代码,我得到了这个错误:
Error: XHR Failed for getAllEntities for entity suborder Object { status=0, config={...}, data=null, more...}
在克罗姆我得到:
Refused to set unsafe header "cookie"
和
net::ERR_INSECURE_RESPONSE
Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://xx.xx.xx.xx:8443/xxxxxxxx/api/code.
(Reason: CORS header 'Access-Control-Allow-Origin' does not match
'*').
您的服务器似乎没有启用跨源资源共享 (CORS),或者配置错误。
关于 header 问题,你应该看看 post:
AJAX post error : Refused to set unsafe header "Connection"
XMLHttpRequest isn't allowed to set these headers, they are being set
automatically by the browser. The reason is that by manipulating these
headers you might be able to trick the server into accepting a second
request through the same connection, one that wouldn't go through the
usual security checks - that would be a security vulnerability in the
browser.
如果您使用 cookie,则 cookie 应随每个请求自动发送,尤其是当您设置了 withCredentials = true 时。
但是,如果您使用令牌,则必须将它们添加到授权 header,一般格式为:"Bearer " + mytoken
我正在尝试在 Wildfly 服务器上发出 REST 请求。首先,我必须登录到旧应用程序并获取 cookie。该 cookie 必须在较新的应用程序中使用 发出 REST 请求。新应用程序是来自真实现有应用程序的一些模板。我在 REST 请求的 header 中尝试了一些选项,例如设置属性 withCredentials、Access-Control-Allow-Credentials、token、crossDomain,如下面的函数 getAllEntities 所示。
REST 请求经过测试,它们在 Firefox 浏览器上与 RestClient 一起工作正常,如下所示。
我不知道如何:
插入我从之前的申请中获得的 cookie
移除token(看来这是不可能的)
解决标题中写的这两个错误
这是 RestClient 中请求的样子:
Method: GET
URL: https://xx.xx.xx.xx:8443/api/codes
Content-Type: application/json
Accept: application/json
Cookie: code_system_frontend=bvkkvbcp24igdgja4h5hht13p4; code=ae8be9267e8dfea86a8f54f6bd980733
这是 RestClient 中响应的样子:
Status Code: 200 OK
Access-Control-Allow-Headers: Content-Type, Content-Disposition, Accept, responseType, X-MAC, X-TIME, Cookie
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Type, Content-Disposition, Accept
Connection: keep-alive
Content-Type: application/json
Date: Tue, 26 Jul 2016 15:22:00 GMT
Server: WildFly/9
Transfer-Encoding: chunked
access-control-allow-credentials: true
x-powered-by: Undertow/1
和典型的 JSON 响应 body:
[
{
"code": 1,
"codename": "Demo"
},
{
"code": 2,
"codename": "Gmx"
}
//AND SO ON
]
这是 Angularjs 中的代码:
function getAllEntities(entityName, addToCache) {
config = {
headers: {
'cookie':'code_system_frontend=bvkkvbcp24igdgja4h5hht13p4;code=ae8be9267e8dfea86a8f54f6bd980733',
'Content-Type': 'application/json',
'Accept': 'application/json',
'withCredentials':'true',
//'Access-Control-Allow-Credentials': 'true',
//'X-API-TOKEN': undefined,
//'token':undefined,
//crossDomain: true
},
data: ''
};
return $http.get(endPoints.api + entityName, config)
.then(getAllEntitiesComplete)
.catch(function (message) {
exception.catcher('XHR Failed for getAllEntities for entity ' + entityName)(message);
return $q.reject(message);
logger.info('Message ' + message);
});
function getAllEntitiesComplete(data, status, headers, config) {
var entities = data.data;
if (addToCache) {
service.cachedLookups[entityName] = entities;
service[entityName + 's'] = entities;
}
return entities;
}
}
在 Firebug 我得到:
在Firebug中请求Header:
Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Host: XX.XX.XX.XX:8443
Origin http://admin.dev.xxxxxxxx.xxx
Referer http://admin.dev.xxxxxxxx.xxx/xx/codes
User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
token fake token for anonymous user
withCredentials true
我也在 Firebug 中收到警告:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at https://xx.xx.xx.xx:8443/xxxxxxxx/api/code. (Reason:
CORS header 'Access-Control-Allow-Origin' does not match '*').
由于我的代码,我得到了这个错误:
Error: XHR Failed for getAllEntities for entity suborder Object { status=0, config={...}, data=null, more...}
在克罗姆我得到:
Refused to set unsafe header "cookie"
和
net::ERR_INSECURE_RESPONSE
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://xx.xx.xx.xx:8443/xxxxxxxx/api/code. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*').
您的服务器似乎没有启用跨源资源共享 (CORS),或者配置错误。
关于 header 问题,你应该看看 post:
AJAX post error : Refused to set unsafe header "Connection"
XMLHttpRequest isn't allowed to set these headers, they are being set automatically by the browser. The reason is that by manipulating these headers you might be able to trick the server into accepting a second request through the same connection, one that wouldn't go through the usual security checks - that would be a security vulnerability in the browser.
如果您使用 cookie,则 cookie 应随每个请求自动发送,尤其是当您设置了 withCredentials = true 时。
但是,如果您使用令牌,则必须将它们添加到授权 header,一般格式为:"Bearer " + mytoken