如何在 Reitit 中将 origin header 参数设置为强制性参数?
How can I set the origin header param as mandatory in Reitit?
我有一个带有 Pedestal & Reitit 的 Clojure 应用程序,我需要 origin header 参数是强制性的。
;; deps
[io.pedestal/pedestal.service "0.5.5"]
[pedestal/pedestal.jetty "0.5.5"]
[reitit-pedestal "0.5.5"]
[reitit "0.5.5"]
但是如果我输入我的模式,请求会抛出异常。
(s/defschema my-request
{:header {:origin s/Str}})
["/my-route"
{:get {:parameters my-request
:handler my-handler}}]
异常:
:错误{:来源missing-required-key}
{
"message": "Bad Request",
"exception": "clojure.lang.ExceptionInfo: clojure.lang.ExceptionInfo in Interceptor :reitit.http.coercion/coerce-request -
Request coercion failed: #reitit.coercion.CoercionError{:schema {:origin java.lang.String, Keyword Any}, :errors {:origin missing-required-key}}
要求
curl -X GET "http://localhost:3000/my-route -H "accept: application/json" "origin: TEST" -H "user-agent: test"
CURL 请求有效,问题仅出现在使用 GET 方法的 Swagger UI 中。
似乎 Swagger 的 get 方法没有发送 origin header 参数来避免 cors 的攻击。
我可以解决这个问题吗?
感谢您的帮助
在我与一位同事讨论后,他向我展示了:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path.
我找到了这个
https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).
你猜怎么着,origin 就是其中之一。
这个也有。
https://bugzilla.mozilla.org/show_bug.cgi?id=1508661
origin header should not be set for GET and HEAD requests
2 years ago(2018-11-20)
我在 firefox 和 chrome 中尝试并检查了我的应用程序请求,它们的行为等同于链接。
我想就是这样。谢谢
我有一个带有 Pedestal & Reitit 的 Clojure 应用程序,我需要 origin header 参数是强制性的。
;; deps
[io.pedestal/pedestal.service "0.5.5"]
[pedestal/pedestal.jetty "0.5.5"]
[reitit-pedestal "0.5.5"]
[reitit "0.5.5"]
但是如果我输入我的模式,请求会抛出异常。
(s/defschema my-request
{:header {:origin s/Str}})
["/my-route"
{:get {:parameters my-request
:handler my-handler}}]
异常:
:错误{:来源missing-required-key}
{
"message": "Bad Request",
"exception": "clojure.lang.ExceptionInfo: clojure.lang.ExceptionInfo in Interceptor :reitit.http.coercion/coerce-request -
Request coercion failed: #reitit.coercion.CoercionError{:schema {:origin java.lang.String, Keyword Any}, :errors {:origin missing-required-key}}
要求
curl -X GET "http://localhost:3000/my-route -H "accept: application/json" "origin: TEST" -H "user-agent: test"
CURL 请求有效,问题仅出现在使用 GET 方法的 Swagger UI 中。
似乎 Swagger 的 get 方法没有发送 origin header 参数来避免 cors 的攻击。
我可以解决这个问题吗?
感谢您的帮助
在我与一位同事讨论后,他向我展示了:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path.
我找到了这个
https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).
你猜怎么着,origin 就是其中之一。
这个也有。 https://bugzilla.mozilla.org/show_bug.cgi?id=1508661
origin header should not be set for GET and HEAD requests 2 years ago(2018-11-20)
我在 firefox 和 chrome 中尝试并检查了我的应用程序请求,它们的行为等同于链接。
我想就是这样。谢谢