Similar questions have been asked about the nature of when to use POST and when to use GET in an AJAX request
类似的问题已经被问及何时使用POST以及何时在AJAX请求中使用GET的性质
Here: What are the advantages of using a GET request over a POST request?
这里:对POST请求使用GET请求有什么好处?
and here: GET vs. POST ajax requests: When and how to use either?
在这里:GET与POST ajax请求:何时以及如何使用?
However, I want to make it clear that that is not exactly what I am asking. I get idempotence, sensitive data, the ability for browsers to be able to try again in the event of an error, and the ability for the browser to be able to cache query string data.
但是,我想说清楚这不是我要问的。我获得了幂等性,敏感数据,浏览器能够在发生错误时再次尝试的能力,以及浏览器能够缓存查询字符串数据的能力。
My real scenario is such that I want to prevent my users from being able to simply enter in the URL to my "Compute.cshtml" file (i.e. the file on the server that my jQuery $.ajax
function posts to).
我的真实情况是,我想阻止我的用户只能输入我的“Compute.cshtml”文件的URL(即我的jQuery $ .ajax函数发布到的服务器上的文件)。
I am in a WebMatrix C#.net web-pages environment and I have tried to precede the file name with an underscore (_
), but apparently an AJAX request falls under the same criteria that this underscore was designed to prevent the display of and it, of course, breaks the request.
我在WebMatrix C#.net网页环境中,我试图在文件名前面加一个下划线(_),但显然AJAX请求符合这个下划线设计的相同标准,以防止显示和它当然,打破了要求。
So if I use POST I can simply use this logic:
所以,如果我使用POST,我可以简单地使用这个逻辑:
if (!IsPost) //if this is not a post...
{
Response.Redirect("~/") //...redirect back to home page.
}
If I use GET, I suppose I can send additional data like a string containing the value "AccessGranted"
and check it on the other side to see if it equals this value and redirect if not, but this could be easily duplicated through typing in the address bar (not that the data is sensitive on the other side, but...).
如果我使用GET,我想我可以发送附加数据,如包含值“AccessGranted”的字符串,并在另一侧检查它是否等于此值,如果没有则重定向,但这可以通过键入来轻松复制地址栏(不是数据在另一侧敏感,但......)。
Anyway, I suppose I am asking if it is okay to always use POST to handle this logic or what the appropriate way to handle my situation is in regards to using GET or POST with AJAX in a WebMatrix C#.net web-pages environment.
无论如何,我想我问是否可以总是使用POST来处理这个逻辑,或者在WebMatrix C#.net web-pages环境中使用GET或POST与AJAX相关的处理我的情况的方法是什么。
3 个解决方案
#1
2
My advice is, don't try to stop them. It's harmless.
我的建议是,不要试图阻止它们。这是无害的。
- You won't have direct links to it, so it won't really come up. (You might want your robots.txt to exclude the whole /api directory, for Google's sake).
- It is data they have access to anyway (otherwise you need server-side trimming), so you can't be exposing anything dangerous or sensitive.
- The advantages in using GETs for GET-like requests are many, as you linked to (caching, semantics, etc)
你不会直接链接到它,所以它不会真的出现。 (出于Google的考虑,您可能希望robots.txt排除整个/ api目录)。
这是他们无论如何都可以访问的数据(否则你需要服务器端修剪),所以你不能暴露任何危险或敏感的东西。
当您链接到(缓存,语义等)时,将GET用于GET类请求的优点很多
So what's the harm in having that url be accessible via direct browser entry? They can POST directly too, if they're crafty enough, using Fiddler "compose" for example. And having the GETs be accessible via url is useful for debugging.
那么通过直接浏览器输入可以访问该URL的危害是什么?他们也可以直接POST,如果他们足够狡猾,可以使用Fiddler“compose”。通过url访问GET对于调试很有用。
EDIT: See sites like http://www.robotstxt.org/orig.html for lots of details, but a robots.txt that excluded search engines from your web services directory called /api would look like this:
编辑:有关详细信息,请参阅http://www.robotstxt.org/orig.html等网站,但是从您的Web服务目录中排除搜索引擎的名为/ api的robots.txt将如下所示:
User-agent: *
Disallow: /api/
#2
1
Similar to IsPost
, you can use IsAjax
to determine whether the request was initiated by the XmlHttpRequest object in most browsers.
与IsPost类似,您可以使用IsAjax来确定请求是否是由大多数浏览器中的XmlHttpRequest对象启动的。
if(!IsAjax){
Response.Redirect("~/WhatDoYouThinkYoureDoing.cshtml");
}
It checks the request to see if it has an X-Requested-With
header with the value of XmlHttpRequest
, or if there is an item in the Request object with the key X-Requested-With
that has a value of XmlHttpRequest
.
它检查请求以查看它是否具有值为XmlHttpRequest的X-Requested-With标头,或者如果Request对象中有一个项目,其中X-Requested-With键具有值XmlHttpRequest。
#3
0
One way to detect a direct AJAX call is to check for the presence of the http_referer header. Directly typed URLs won't generate a referrer, but you still won't be able to differentiate the call from a simple anchor link.
检测直接AJAX调用的一种方法是检查是否存在http_referer标头。直接键入的网址不会生成引荐来源,但您仍然无法将通话与简单的锚链接区分开来。
(Just keep in mind that some browsers don't generate the header for XHR requests.)
(请记住,某些浏览器不会为XHR请求生成标头。)
#1
2
My advice is, don't try to stop them. It's harmless.
我的建议是,不要试图阻止它们。这是无害的。
- You won't have direct links to it, so it won't really come up. (You might want your robots.txt to exclude the whole /api directory, for Google's sake).
- It is data they have access to anyway (otherwise you need server-side trimming), so you can't be exposing anything dangerous or sensitive.
- The advantages in using GETs for GET-like requests are many, as you linked to (caching, semantics, etc)
你不会直接链接到它,所以它不会真的出现。 (出于Google的考虑,您可能希望robots.txt排除整个/ api目录)。
这是他们无论如何都可以访问的数据(否则你需要服务器端修剪),所以你不能暴露任何危险或敏感的东西。
当您链接到(缓存,语义等)时,将GET用于GET类请求的优点很多
So what's the harm in having that url be accessible via direct browser entry? They can POST directly too, if they're crafty enough, using Fiddler "compose" for example. And having the GETs be accessible via url is useful for debugging.
那么通过直接浏览器输入可以访问该URL的危害是什么?他们也可以直接POST,如果他们足够狡猾,可以使用Fiddler“compose”。通过url访问GET对于调试很有用。
EDIT: See sites like http://www.robotstxt.org/orig.html for lots of details, but a robots.txt that excluded search engines from your web services directory called /api would look like this:
编辑:有关详细信息,请参阅http://www.robotstxt.org/orig.html等网站,但是从您的Web服务目录中排除搜索引擎的名为/ api的robots.txt将如下所示:
User-agent: *
Disallow: /api/
#2
1
Similar to IsPost
, you can use IsAjax
to determine whether the request was initiated by the XmlHttpRequest object in most browsers.
与IsPost类似,您可以使用IsAjax来确定请求是否是由大多数浏览器中的XmlHttpRequest对象启动的。
if(!IsAjax){
Response.Redirect("~/WhatDoYouThinkYoureDoing.cshtml");
}
It checks the request to see if it has an X-Requested-With
header with the value of XmlHttpRequest
, or if there is an item in the Request object with the key X-Requested-With
that has a value of XmlHttpRequest
.
它检查请求以查看它是否具有值为XmlHttpRequest的X-Requested-With标头,或者如果Request对象中有一个项目,其中X-Requested-With键具有值XmlHttpRequest。
#3
0
One way to detect a direct AJAX call is to check for the presence of the http_referer header. Directly typed URLs won't generate a referrer, but you still won't be able to differentiate the call from a simple anchor link.
检测直接AJAX调用的一种方法是检查是否存在http_referer标头。直接键入的网址不会生成引荐来源,但您仍然无法将通话与简单的锚链接区分开来。
(Just keep in mind that some browsers don't generate the header for XHR requests.)
(请记住,某些浏览器不会为XHR请求生成标头。)