問題描述

我注意到 XMLHttpRequest.getResponseHeader() 的結(jié)果并不總是與返回的真實(shí)標(biāo)頭匹配(如果請求是以常規(guī)方式發(fā)出的).

I've noticed that the results of and XMLHttpRequest.getResponseHeader() don't always match the real headers returned (if the request is made in a regular manner).

例如，假設(shè)我正在為 https://foo.example.com/api/resource/100 發(fā)出 xhr 請求.在 Chrome 的開發(fā)者控制臺中，在網(wǎng)絡(luò)"下，我可以看到正在做出的響應(yīng)——我還可以看到所有響應(yīng)標(biāo)頭(比如 10).但是(復(fù)制粘貼控制臺):

For example, assume I'm making an xhr request for https://foo.example.com/api/resource/100. In Chrome's developer console, under 'Network', I can see the response being made -- I can also see all of the response headers (say, 10). However (copy-pasted console):

> response
  XMLHttpRequest
> response.getAllResponseHeaders();
  "content-type: text/html
  " 

對可用的標(biāo)頭有任何限制嗎?這取決于響應(yīng)類型嗎?我記得有一套完整的 404 標(biāo)頭，但只有這個(gè) 400 的標(biāo)頭.

Are there any restrictions on what headers are available? Is this dependent on the response type? I remember getting a complete set of headers for 404s but just this one for 400s.

什么給了?

推薦答案

XMLHttpRequest 的標(biāo)準(zhǔn)化現(xiàn)狀A(yù)PI 僅限制對 Set-Cookie 和 Set-Cookie2 標(biāo)頭字段的訪問:

The current state of standardizing the XMLHttpRequest API does only restrict the access to the Set-Cookie and Set-Cookie2 header fields:

客戶端.getAllResponseHeaders()

client.getAllResponseHeaders()

返回響應(yīng)中的所有標(biāo)頭，字段名稱為 Set-Cookie 或 Set-Cookie2 的標(biāo)頭除外.

Returns all headers from the response, with the exception of those whose field name is Set-Cookie or Set-Cookie2.

應(yīng)返回任何其他標(biāo)頭字段.

Any other header field should be returned.

但是當(dāng)你做一個(gè)跨域請求時(shí)，瀏覽器需要實(shí)現(xiàn) XMLHttpRequest Level 2 因?yàn)樵瓉淼?XMLHttpRequest 只允許同源請求:

But as you’re doing a cross-origin request, the browser needs to implement XMLHttpRequest Level 2 as the original XMLHttpRequest does only allow same-origin requests:

XMLHttpRequest Level 2 規(guī)范增強(qiáng)了 XMLHttpRequest 對象的新特性，例如跨域請求 […]

The XMLHttpRequest Level 2 specification enhances the XMLHttpRequest object with new features, such as cross-origin requests […]

在那里你可以讀到跨源資源共享規(guī)范過濾了那些過濾由 getResponseHeader() 公開的標(biāo)頭，用于非 same-origin 請求.".并且該規(guī)范禁止訪問除 簡單響應(yīng)頭字段(即Cache-Control、Content-Language、Content-Type、Expires、Last-Modified 和 Pragma):

There you can read that the "Cross-Origin Resource Sharing specification filters the headers that filters the headers that are exposed by getResponseHeader() for non same-origin requests.". And that specification forbids access to any response header field other except the simple response header fields (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, and Pragma):

用戶代理必須過濾掉除簡單響應(yīng)頭之外的所有響應(yīng)頭 […]

User agents must filter out all response headers other than those that are a simple response header […]

例如因此，XMLHttpRequest 的 getResponseHeader() 方法不會(huì)暴露上面未指明的任何標(biāo)頭.

E.g. the getResponseHeader() method of XMLHttpRequest will therefore not expose any header not indicated above.

這篇關(guān)于XMLHttpRequest 的 getResponseHeader() 的限制?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！