奇怪的 Angular 休息电话行为

Strange Angular Rest call behaviour

我使用 Angular 调用 Atlassian JIRA 的 REST API。 Angular 用于设备上 ionic-framework 应用程序的上下文。

A curl

curl -X POST 'https://url' -H 'Accept: application/json, text/plain, */*' -H 'Authorization: Basic a2someStuff' -H 'Content-Type: application/json' --data-binary '{"transition": {"id": "761"}}'

工作并产生预期的结果。

但是,如果我使用常规 angular

执行查询 
curl -X POST 'https://url' -H 'Accept: application/json, text/plain, */*' -H 'Authorization: Basic a2someStuff' -H 'X-Atlassian-Token: nocheck' -H 'User-Agent: Mozilla/5.0 (Linux; Android 5.0; Intellibook Build/LRX21V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Safari/537.36' -H 'Content-Type: application/json' --data-binary '{"transition": {"id": "781"}}'

已创建。如果 User-Agent 的 Header 被移除 ,我已经验证此 curl 工作正常 。 angular有没有可能执行这样的操作?

编辑

这里是生成请求的JS:

这里是配置部分:

.constant('ApiEndpoint', {
    url: 'someUrl'
  })
.config(['$httpProvider', function ($httpProvider) {

    $httpProvider.defaults.headers.common['X-Atlassian-Token'] = 'nocheck';
  }])

这里是方法内容:

var postData = '{"transition": {"id": "' + transition + '"}}';
      $http({
        url: ApiEndpoint.url + 'issue/' + issueKey + "/transitions",
        method: "POST",
        data: postData,
        headers: {
          'Content-Type': 'application/json'
        }
      }).then(function (response) {
          //some stuff
        },

如果你想删除 User-Agent header 这样做:

.config(['$httpProvider', function ($httpProvider) {
    delete $httpProvider.defaults.headers.common['User-Agent'];
}]);

这里是关于 Cross Site Request Forgery (XSRF) Protection 的一些信息,用于 angular $http(参见安全注意事项部分)

XSRF is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. Angular provides a mechanism to counter XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain. The header will not be set for cross-domain requests.

To take advantage of this, your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on the first HTTP GET request. On subsequent XHR requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have sent the request. The token must be unique for each user and must be verifiable by the server (to prevent the JavaScript from making up its own tokens). We recommend that the token is a digest of your site's authentication cookie with a salt for added security.

The name of the headers can be specified using the xsrfHeaderName and xsrfCookieName properties of either $httpProvider.defaults at config-time, $http.defaults at run-time, or the per-request config object.

In order to prevent collisions in environments where multiple Angular apps share the same domain or subdomain, we recommend that each application uses unique cookie name.

xsrfHeaderName – {string} – 要使用 XSRF 令牌填充的 HTTP header 的名称。 xsrfCookieName – {string} – 包含 XSRF 令牌的 cookie 的名称。

$http({
        url: ApiEndpoint.url + 'issue/' + issueKey + "/transitions",
        method: "POST",
        data: postData,
        headers: {
          'Content-Type': 'application/json'
        },
        xsrfHeaderName: 'XSRF-Header-Name',
        xsrfCookieName: 'XSRF-Cookie-Name'
      })