更新时间:2022-02-16 23:06:47
当您使用 $window.location.href
时,浏览器发出的是 HTTP 请求,而不是您的 JavaScript 代码.因此,您不能使用令牌值添加像 Authorization
这样的自定义标头.
When you use $window.location.href
the browser is making the HTTP request and not your JavaScript code. Therefore, you cannot add a custom header like Authorization
with your token value.
您可以通过 JavaScript 添加一个 cookie 并将您的身份验证令牌放在那里.cookie 将自动从浏览器发送.但是,您需要查看使用 cookie 与标头的安全隐患.由于两者都可以通过 JavaScript 访问,因此没有额外的攻击向量.除非您在新页面加载后移除 cookie,否则可能存在 CSRF 漏洞利用.
You could add a cookie via JavaScript and put your auth token there. The cookies will automatically be sent from the browser. However, you will want to review the security implications of using a cookie vs. a header. Since both are accessible via JavaScript, there is no additional attack vector there. Unless you remove the cookie after the new page loads, there may be a CSRF exploit available.