HTTP 标头对浏览器来说是否太大?

2022-01-17 00:00:00 http-headers browser ajax

我正在构建一个 AJAX 应用程序,它使用 HTTP 内容和 HTTP 标头来发送和接收数据.是否存在浏览器无法读取从 HTTP 标头接收到的数据,因为它太大了?如果是,限制是多少?所有浏览器的行为是否相同?

I am building an AJAX application that uses both HTTP Content and HTTP Header to send and receive data. Is there a point where the data received from the HTTP Header won't be read by the browser because it is too big ? If yes, what is the limit and is it the same behaviour in all the browser ?

我知道理论上 HTTP 标头的大小是没有限制的,但在实践中,我可能在某些平台、浏览器或安装某些软件时遇到问题在客户端计算机或机器上.我更关注使用 HTTP 标头的安全实践指南.换句话说,HTTP 标头可以在多大程度上用于传输附加数据而不会出现潜在问题?

I know that theoretically there is no limit to the size of HTTP headers, but in practice what is the point that past that, I could have problem under certain platform, browsers or with certain software installed on the client computer or machine. I am more looking into a guide-line for safe practice of using HTTP headers. In other word, up to what extend can HTTP headers be used for transmitting additional data without having potential problem coming into the line ?

感谢所有关于这个问题的意见,非常感谢和有趣.托马斯的回答得到了赏金,但 乔恩·汉娜的回答 提出了关于代理的一个很好的观点.

Thanks, for all the input about this question, it was very appreciated and interesting. Thomas answer got the bounty, but Jon Hanna's answer brought up a very good point about the proxy.

推荐答案

在实践中,虽然有一些规则禁止代理不传递某些标头(实际上,可以修改的非常明确的规则,甚至关于如何通知代理关于是否可以修改后标准添加的新标头),这仅适用于透明"代理,并非所有代理都是透明的.特别是,一些他们不理解为故意安全做法的擦除标头.

In practice, while there are rules prohibitting proxies from not passing certain headers (indeed, quite clear rules on which can be modified and even on how to inform a proxy on whether it can modify a new header added by a later standard), this only applies to "transparent" proxies, and not all proxies are transparent. In particular, some wipe headers they don't understand as a deliberate security practice.

此外,在实践中,有些人确实行为不端(尽管情况比以前好得多).

Also, in practice some do misbehave (though things are much better than they were).

因此,除了显而易见的核心标头之外,您可以依赖的从服务器传递到客户端的标头信息量为零.

So, beyond the obvious core headers, the amount of header information you can depend on being passed from server to client is zero.

这只是您永远不应该依赖于使用良好的标头的原因之一(例如,准备好让客户端重复请求它应该缓存的东西,或者让服务器在您发送整个实体时发送请求一个范围),除非是身份验证标头的明显情况(根据安全失败原则).

This is just one of the reasons why you should never depend on headers being used well (e.g., be prepared for the client to repeat a request for something it should have cached, or for the server to send the whole entity when you request a range), barring the obvious case of authentication headers (under the fail-to-secure principle).

相关文章