sec-fetch-site header 是什么意思?为什么 Origin header 未定义?
What does the sec-fetch-site header mean? Why is the Origin header undefined?
我有一个从我的 React 应用调用的 API 端点。 API 在同一个域中。类似于:
https://www.example.com
https://www.example.com/api/update-something
我使用 cross-fetch 来完成该请求。
我期待在我的服务器日志中看到 Origin header。事实上,我期待看到 Origin: https://www.example.com .
但这是我得到的:
Origin: undefined
// AND I ALSO GET THESE HEADERS
"sec-fetch-dest":"empty",
"sec-fetch-mode":"cors",
"sec-fetch-site":"same-origin"
它们是什么意思?好像 Origin 检查已经完成了?
例如:如果我得到 sec-fetch-site: cross-site 是否意味着调用是在另一个 website/domain 中生成的?对吗?
参考:
Sec-Fetch-Site: cross-site
Sec-Fetch-Site: same-origin
Sec-Fetch-Site: same-site
Sec-Fetch-Site: none
Origin header 与 CORS 请求以及 POST 请求一起发送。
使用 HEAD 或 GET
方法的 Fetch 请求未设置 Origin header
来自:
Origin header
I have an API endpoint that I call from my React app. That API is on the same domain. … I was expecting to see an Origin header on my server logs.
浏览器在 same-origin GET 请求中未发送 Origin,根据 Fetch 规范要求。 ✳️
it's like the Origin check was already made
是的——浏览器知道:
- 发出请求的代码来源
- 请求的资源来源
- 请求方式
…浏览器会在决定是否添加 Origin header 之前检查所有这些;如果来源匹配并且方法是 GET.
,他们不会添加 Origin header
// AND I ALSO GET THESE HEADERS
"sec-fetch-dest":"empty",
"sec-fetch-mode":"cors",
"sec-fetch-site":"same-origin"
What do they mean? … For example: if I get sec-fetch-site: cross-site it means that the call was generate in another website/domain? Is that correct?
https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header有详情:
Sec-Fetch-Site value
What the value indicates
same-origin
The origin to which the request is being made matches the origin of the code making the request.
same-site
The origin to which the request is being made and the origin of the code making the request have the same “registrable domain” (sometimes also referred to as the “same eTLD+1” or “same effective top-level domain plus one”); so, for example, https://subdomain.example.com and https://example.com are same-site (even though not same-origin).
cross-site
The origin to which the request is being made and the origin of the code making the request are neither same-origin nor even same-site but instead have different registrable domains.
none
The request wasn’t initiated programatically by frontend code (for example, not by an XHR/fetch/ajax call) but instead initiated by normal user navigation — that is, by a user doing something like directly putting an address into the browser URL bar, or clicking on a hyperlink.
✳️ 规范要求导致 Origin header 在 same-origin GET 请求中被省略:
是否添加 Origin header 最终取决于请求的 “response tainting”, the value of which starts out as "basic", and which, for same-origin requests, the Fetch algorithm keeps sets to "basic", per step 12 of the “Main fetch” algorithm:
↪ request’s current url’s origin is same origin with request’s
origin, and request’s response tainting is "basic"
…
- Set request’s response tainting to "
basic".
- Return the result of running scheme fetch given fetchParams.
运行 scheme fetch causes the append a request `Origin` header 算法被调用,这导致 Origin header 仅在至少满足以下条件之一时才被添加:
- 请求的响应污染是“
cors”
- 请求的模式是“
websocket”
- 请求的方法既不是
GET也不是HEAD
但对于 same-origin GET,响应污染不是 cors(相反,根据上述要求,它是 basic),请求模式不是t websocket,当然方法既不是GET也不是HEAD(它是GET);因此,该算法要求浏览器不要添加 Origin header.
我有一个从我的 React 应用调用的 API 端点。 API 在同一个域中。类似于:
https://www.example.com
https://www.example.com/api/update-something
我使用 cross-fetch 来完成该请求。
我期待在我的服务器日志中看到 Origin header。事实上,我期待看到 Origin: https://www.example.com .
但这是我得到的:
Origin: undefined
// AND I ALSO GET THESE HEADERS
"sec-fetch-dest":"empty",
"sec-fetch-mode":"cors",
"sec-fetch-site":"same-origin"
它们是什么意思?好像 Origin 检查已经完成了?
例如:如果我得到 sec-fetch-site: cross-site 是否意味着调用是在另一个 website/domain 中生成的?对吗?
参考:
Sec-Fetch-Site: cross-site
Sec-Fetch-Site: same-origin
Sec-Fetch-Site: same-site
Sec-Fetch-Site: none
Origin header 与 CORS 请求以及 POST 请求一起发送。 使用 HEAD 或 GET
方法的 Fetch 请求未设置 Origin header来自: Origin header
I have an API endpoint that I call from my React app. That API is on the same domain. … I was expecting to see an
Originheader on my server logs.
浏览器在 same-origin GET 请求中未发送 Origin,根据 Fetch 规范要求。 ✳️
it's like the Origin check was already made
是的——浏览器知道:
- 发出请求的代码来源
- 请求的资源来源
- 请求方式
…浏览器会在决定是否添加 Origin header 之前检查所有这些;如果来源匹配并且方法是 GET.
Origin header
// AND I ALSO GET THESE HEADERS "sec-fetch-dest":"empty", "sec-fetch-mode":"cors", "sec-fetch-site":"same-origin"What do they mean? … For example: if I get
sec-fetch-site: cross-siteit means that the call was generate in another website/domain? Is that correct?
https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header有详情:
| Sec-Fetch-Site value | What the value indicates |
|---|---|
| same-origin | The origin to which the request is being made matches the origin of the code making the request. |
| same-site | The origin to which the request is being made and the origin of the code making the request have the same “registrable domain” (sometimes also referred to as the “same eTLD+1” or “same effective top-level domain plus one”); so, for example, https://subdomain.example.com and https://example.com are same-site (even though not same-origin). |
| cross-site | The origin to which the request is being made and the origin of the code making the request are neither same-origin nor even same-site but instead have different registrable domains. |
| none | The request wasn’t initiated programatically by frontend code (for example, not by an XHR/fetch/ajax call) but instead initiated by normal user navigation — that is, by a user doing something like directly putting an address into the browser URL bar, or clicking on a hyperlink. |
✳️ 规范要求导致 Origin header 在 same-origin GET 请求中被省略:
是否添加 Origin header 最终取决于请求的 “response tainting”, the value of which starts out as "basic", and which, for same-origin requests, the Fetch algorithm keeps sets to "basic", per step 12 of the “Main fetch” algorithm:
↪ request’s current url’s origin is same origin with request’s origin, and request’s response tainting is "
basic"
…
- Set request’s response tainting to "
basic".- Return the result of running scheme fetch given fetchParams.
运行 scheme fetch causes the append a request `Origin` header 算法被调用,这导致 Origin header 仅在至少满足以下条件之一时才被添加:
- 请求的响应污染是“
cors” - 请求的模式是“
websocket” - 请求的方法既不是
GET也不是HEAD
但对于 same-origin GET,响应污染不是 cors(相反,根据上述要求,它是 basic),请求模式不是t websocket,当然方法既不是GET也不是HEAD(它是GET);因此,该算法要求浏览器不要添加 Origin header.