在 non-ajax post 上添加自定义 header
Add custom header on non-ajax post
据我所知,提交表单时无法设置 header 字段,只能在 ajax 请求中设置
这个问题也指出这是不可能的:
- How to set a Header field on POST a form?
但阅读 Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet 时提到:
Encrypted Token Pattern
Overview
The Encrypted Token Pattern leverages an encryption, rather than
comparison, method of Token-validation. After successful
authentication, the server generates a unique Token comprised of the
user's ID, a timestamp value and a nonce, using a unique key available
only on the server. This Token is returned to the client and embedded
in a hidden field. Subsequent AJAX requests include this Token in the
request-header, in a similar manner to the Double-Submit pattern.
Non-AJAX form-based requests will implicitly persist the Token in its hidden field, although I recommend persisting this data in a
custom HTTP header in such cases. On receipt of this request, the
server reads and decrypts the Token value with the same key used to
create the Token.
这句话让我很困惑:
I recommend persisting this data in a custom HTTP header in such cases
有人能解释一下吗?
是的,该句子暗示 POST 操作由自定义 JavaScript 处理程序调用以注入 AUTH header。我已更正 OWASP 描述以反映这一疏忽。
据我所知,提交表单时无法设置 header 字段,只能在 ajax 请求中设置
这个问题也指出这是不可能的:
- How to set a Header field on POST a form?
但阅读 Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet 时提到:
Encrypted Token Pattern
Overview
The Encrypted Token Pattern leverages an encryption, rather than comparison, method of Token-validation. After successful authentication, the server generates a unique Token comprised of the user's ID, a timestamp value and a nonce, using a unique key available only on the server. This Token is returned to the client and embedded in a hidden field. Subsequent AJAX requests include this Token in the request-header, in a similar manner to the Double-Submit pattern. Non-AJAX form-based requests will implicitly persist the Token in its hidden field, although I recommend persisting this data in a custom HTTP header in such cases. On receipt of this request, the server reads and decrypts the Token value with the same key used to create the Token.
这句话让我很困惑:
I recommend persisting this data in a custom HTTP header in such cases
有人能解释一下吗?
是的,该句子暗示 POST 操作由自定义 JavaScript 处理程序调用以注入 AUTH header。我已更正 OWASP 描述以反映这一疏忽。