问题
I use Angular to make a call to Atlassian JIRA's REST API. Angular is used in the context of an ionic-framework app on a device.
A curl as
curl -X POST 'https://url' -H 'Accept: application/json, text/plain, */*' -H 'Authorization: Basic a2someStuff' -H 'Content-Type: application/json' --data-binary '{"transition": {"id": "761"}}'
Works and produces the desired result.
However if I perform the query using regular angular
curl -X POST 'https://url' -H 'Accept: application/json, text/plain, */*' -H 'Authorization: Basic a2someStuff' -H 'X-Atlassian-Token: nocheck' -H 'User-Agent: Mozilla/5.0 (Linux; Android 5.0; Intellibook Build/LRX21V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Safari/537.36' -H 'Content-Type: application/json' --data-binary '{"transition": {"id": "781"}}'
is created. I have verified that this curl works correctly if the Header for the User-Agent is removed.
Is there any possibility in angular to perform such an operation?
edit
here the JS which generates the request:
Here the config section:
.constant('ApiEndpoint', {
url: 'someUrl'
})
.config(['$httpProvider', function ($httpProvider) {
$httpProvider.defaults.headers.common['X-Atlassian-Token'] = 'nocheck';
}])
Here the method contents:
var postData = '{"transition": {"id": "' + transition + '"}}';
$http({
url: ApiEndpoint.url + 'issue/' + issueKey + "/transitions",
method: "POST",
data: postData,
headers: {
'Content-Type': 'application/json'
}
}).then(function (response) {
//some stuff
},
回答1:
If you want to delete User-Agent header do it like:
.config(['$httpProvider', function ($httpProvider) {
delete $httpProvider.defaults.headers.common['User-Agent'];
}]);
Here is some info about Cross Site Request Forgery (XSRF) Protection for angular $http (see Security Considerations section)
XSRF is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. Angular provides a mechanism to counter XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain. The header will not be set for cross-domain requests.
To take advantage of this, your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on the first HTTP GET request. On subsequent XHR requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have sent the request. The token must be unique for each user and must be verifiable by the server (to prevent the JavaScript from making up its own tokens). We recommend that the token is a digest of your site's authentication cookie with a salt for added security.
The name of the headers can be specified using the xsrfHeaderName and xsrfCookieName properties of either $httpProvider.defaults at config-time, $http.defaults at run-time, or the per-request config object.
In order to prevent collisions in environments where multiple Angular apps share the same domain or subdomain, we recommend that each application uses unique cookie name.
xsrfHeaderName – {string} – Name of HTTP header to populate with the XSRF token.
xsrfCookieName – {string} – Name of cookie containing the XSRF token.
$http({
url: ApiEndpoint.url + 'issue/' + issueKey + "/transitions",
method: "POST",
data: postData,
headers: {
'Content-Type': 'application/json'
},
xsrfHeaderName: 'XSRF-Header-Name',
xsrfCookieName: 'XSRF-Cookie-Name'
})
来源:https://stackoverflow.com/questions/35199303/strange-angular-rest-call-behaviour