如何防止angular.js $ http对象发送X-Requested-With标头?

时间:2021-08-29 12:16:22

Angular.js, when accessing a web service using the $http object, automatically adds a X-Requested-With:XMLHttpRequest header to the request.

Angular.js在使用$ http对象访问Web服务时,会自动向请求添加X-Requested-With:XMLHttpRequest标头。

The web service I am accessing using CORS doesn't support X-Requested-With header, so I tried to eliminate it but I can't acess the $httpProvider object. I get an undefined object error, and if I reference it in the controllers parameters, so that angular injects it I get a "Error: Unknown provider: $httpProviderProvider <- $httpProvider"

我使用CORS访问的Web服务不支持X-Requested-With标头,所以我试图消除它,但我不能访问$ httpProvider对象。我得到一个未定义的对象错误,如果我在控制器参数中引用它,那么angular注入它我得到一个“错误:未知的提供者:$ httpProviderProvider < - $ httpProvider”

So I wonder how can I access the $httpProvider, like it says in the docs (http://docs.angularjs.org/api/ng.$http) to tell angular.js not to send that header...

所以我想知道如何访问$ httpProvider,就像它在文档(http://docs.angularjs.org/api/ng.$http)中所说的那样告诉angular.js不要发送那个头...

4 个解决方案

#1

25  

angular.module('myModule', [])
    .config(['$httpProvider', function($httpProvider) {
        delete $httpProvider.defaults.headers.common["X-Requested-With"]
    }])

#2

11  

I found that, besides Justen answer, I can also do it on a per request basis like this:

我发现,除了Justen的回答,我也可以按照以下要求进行:

delete $http.defaults.headers.common['X-Requested-With']

#3

6  

Since Angular JS version 1.1.1 removing the header is no longer necessary.

See the change log:
https://github.com/angular/angular.js/blob/master/CHANGELOG.md#111-pathological-kerning-2012-11-26

请参阅更改日志:https://github.com/angular/angular.js/blob/master/CHANGELOG.md#111-pathological-kerning-2012-11-26

For people like me who were using the header to identify ajax requests and respond to them differently.

像我这样的人使用标题来识别ajax请求并以不同方式响应它们。

e.g. making a request after the session expires.

例如会话到期后发出请求。

You can re-enable the header like so:

您可以重新启用标头,如下所示:

angular.module('yourModule', [])
.config(['$httpProvider', function($httpProvider) {
    $httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
}]);

#4

0  

Since Angular JS version 1.1.1 removing the header is no longer necessary. This change got mentioned on https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

由于不再需要Angular JS 1.1.1版删除标题。在https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers上提到了这一变化

As shown by Josue, this can be easily added to all requests again as follows:

如Josue所示,这可以轻松地再次添加到所有请求中,如下所示:

angular.module('yourModule', [])
    .config(['$httpProvider', function($httpProvider) {
        $httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
    }]);

Set the configuration for the header to undefined to remove the header for specific external requests.

将标头的配置设置为undefined,以删除特定外部请求的标头。

let urlExternalValidator = 'https://openiban.com/validate/' + this.iban + '?getBIC=true&validateBankCode=true';
this.$http.get(urlExternalValidator, {
    // simple request to not trigger a CORS preflight
    // https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
    headers: {
        'X-Requested-With': undefined
    }
})

In addition, you can supply a headers property in the config object passed when calling $http(config), which overrides the defaults without changing them globally.

此外,您可以在调用$ http(config)时传递的config对象中提供headers属性,该属性会覆盖默认值而不会全局更改它们。

To explicitly remove a header automatically added via $httpProvider.defaults.headers on a per request basis, Use the headers property, setting the desired header to undefined

要基于每个请求显式删除通过$ httpProvider.defaults.headers自动添加的标头,请使用headers属性,将所需标头设置为undefined

https://docs.angularjs.org/api/ng/service/$http#setting-http-headers

https://docs.angularjs.org/api/ng/service/$http#setting-http-headers

#1

25  

angular.module('myModule', [])
    .config(['$httpProvider', function($httpProvider) {
        delete $httpProvider.defaults.headers.common["X-Requested-With"]
    }])

#2

11  

I found that, besides Justen answer, I can also do it on a per request basis like this:

我发现,除了Justen的回答,我也可以按照以下要求进行:

delete $http.defaults.headers.common['X-Requested-With']

#3

6  

Since Angular JS version 1.1.1 removing the header is no longer necessary.

See the change log:
https://github.com/angular/angular.js/blob/master/CHANGELOG.md#111-pathological-kerning-2012-11-26

请参阅更改日志:https://github.com/angular/angular.js/blob/master/CHANGELOG.md#111-pathological-kerning-2012-11-26

For people like me who were using the header to identify ajax requests and respond to them differently.

像我这样的人使用标题来识别ajax请求并以不同方式响应它们。

e.g. making a request after the session expires.

例如会话到期后发出请求。

You can re-enable the header like so:

您可以重新启用标头,如下所示:

angular.module('yourModule', [])
.config(['$httpProvider', function($httpProvider) {
    $httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
}]);

#4

0  

Since Angular JS version 1.1.1 removing the header is no longer necessary. This change got mentioned on https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers

由于不再需要Angular JS 1.1.1版删除标题。在https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers上提到了这一变化

As shown by Josue, this can be easily added to all requests again as follows:

如Josue所示,这可以轻松地再次添加到所有请求中,如下所示:

angular.module('yourModule', [])
    .config(['$httpProvider', function($httpProvider) {
        $httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
    }]);

Set the configuration for the header to undefined to remove the header for specific external requests.

将标头的配置设置为undefined,以删除特定外部请求的标头。

let urlExternalValidator = 'https://openiban.com/validate/' + this.iban + '?getBIC=true&validateBankCode=true';
this.$http.get(urlExternalValidator, {
    // simple request to not trigger a CORS preflight
    // https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
    headers: {
        'X-Requested-With': undefined
    }
})

In addition, you can supply a headers property in the config object passed when calling $http(config), which overrides the defaults without changing them globally.

此外,您可以在调用$ http(config)时传递的config对象中提供headers属性,该属性会覆盖默认值而不会全局更改它们。

To explicitly remove a header automatically added via $httpProvider.defaults.headers on a per request basis, Use the headers property, setting the desired header to undefined

要基于每个请求显式删除通过$ httpProvider.defaults.headers自动添加的标头,请使用headers属性,将所需标头设置为undefined

https://docs.angularjs.org/api/ng/service/$http#setting-http-headers

https://docs.angularjs.org/api/ng/service/$http#setting-http-headers

标签:

相关文章