ajax可以伪造部分header头信息,但有部分http header并不能被模拟,会被忽略或在浏览器发送请求时覆盖掉.
如下文,另外 refer是会被浏览器覆盖掉的.
http://www.w3school.com.cn/xmldom/dom_xmlserializer.asp#footer
有些请求头部由 XMLHttpRequest 自动设置而不是由这个方法设置,以符合 HTTP 协议。这包括如下和代理相关的头部:
- Host
- Connection
- Keep-Alive
- Accept-charset
- Accept-Encoding
- If-Modified-Since
- If-None-Match
- If-Range
- Range
http://www.w3.org/TR/2006/WD-XMLHttpRequest-20060405/#dfn-setrequestheader
User agentsmustnot set any headers other than the headers set by the author using this method,with the following exceptions:
- UAsmustset theHostheader appropriately (seeopen()) and not allow it to be overridden.
- UAsmustset theAuthorizationheader according to the values passed to theopen()method (butmustallow calls tosetRequestHeader()to append values to it).
- UAsmayset theAccept-CharsetandAccept-Encodingheaders andmust notallow them to be overridden.
- UAsmayset theIf-Modified-Since,If-None-Match,If-Range,andRangeheaders if the resource is cached and has not expired (as allowed by HTTP),andmust notallow those headers to be overridden.
- UAsmustset theConnectionandKeep-Aliveheaders as described by the HTTP specification,andmust notallow those headers to be overridden.
- UAsshouldset the proxy-related headers according to proxy settings of the environment,andmust notallow those headers to be overridden.
- UAsmaygive theUser-Agentheader an initial value,butmustallow authors to append values to it.
- UAsshouldsetCookieandCookie2headers appropriately for the given URI and given the user's current cookies,andmustallow authors to append values to these headers.