ajax可以伪造部分header头信息, 但有部分http header并不能被模拟, 会被忽略或在浏览器发送请求时覆盖掉.
如下文, 另外 refer是会被浏览器覆盖掉的.
有些请求头部由 XMLHttpRequest 自动设置而不是由这个方法设置,以符合 HTTP 协议。这包括如下和代理相关的头部:
- Host
- Connection
- Keep-Alive
- Accept-charset
- Accept-Encoding
- If-Modified-Since
- If-None-Match
- If-Range
- Range
User agents must not set any headers other than the headers set by the author using this method, with the following exceptions:
- UAs must set the Host header appropriately (see ) and not allow it to be overridden.
- UAs must set the Authorization header according to the values passed to the method (but must allow calls to to append values to it).
- UAs may set the Accept-Charset and Accept-Encoding headers and must not allow them to be overridden.
- UAs may set the If-Modified-Since, If-None-Match, If-Range, and Range headers if the resource is cached and has not expired (as allowed by HTTP), and must notallow those headers to be overridden.
- UAs must set the Connection and Keep-Alive headers as described by the HTTP specification, and must not allow those headers to be overridden.
- UAs should set the proxy-related headers according to proxy settings of the environment, and must not allow those headers to be overridden.
- UAs may give the User-Agent header an initial value, but must allow authors to append values to it.
- UAs should set Cookie and Cookie2 headers appropriately for the given URI and given the user's current cookies, and must allow authors to append values to these headers.