Mushkiladdu waxay tahay in hore iyo gadaalba ay inta badan bixiyaan heerar kala duwan oo taageero ah borotokoolka HTTP, laakiin isla mar ahaantaana soo koobaya codsiyada isticmaalayaasha kala duwan kanaalka guud. Si loogu xidho codsiyada soo dhawaynta hore iyo codsiyada habbaynta dhabarka, xidhiidh TCP-da dheer ayaa la aasaasay, kaas oo codsiyada isticmaalaha lagu kala qaado, lagu kala qaado silsiladda midba midka kale, oo lagu kala soocay hab-maamuuska HTTP. Si loo kala saaro codsiyada, madaxyada "Content-Length" (wuxuu go'aamiyaa cabbirka guud ee xogta codsiga) iyo "
Dhibaatadu waxay soo baxdaa haddii dhinaca hore uu taageero kaliya "Content-Length" laakiin uu iska indhatiro "Transfer-Encoding: chunked" (tusaale, Akamai CDN ayaa tan sameeyay) ama lidkeeda. Haddii Transfer-Encoding: jeexan lagu taageeray labada dhinac, sifooyinka fulinta ee baarayaasha HTTP madaxa ayaa loo isticmaali karaa weerar (tusaale ahaan, marka dhamaadka hore uu iska indhatiro xariiqyada sida "Transfer-Encoding: xchunked", "Transfer-Encoding: jeexjeexay" ", "Transfer-Encoding" : [tab] la jarjaray", "X: X[\n] Wareejinta-Encoding: la jarjaray", "Transfer-Encoding" dhabarka ayaa si guul leh u socodsiiya iyaga).
Xaaladdan oo kale, weeraryahanku wuxuu soo diri karaa codsi ka kooban "Content-Length" iyo "Transfer-Encoding: chunked" madaxyada labadaba, laakiin cabbirka "Content-Length" uma dhigma xajmiga silsiladda la jarjaray, kaas oo wuu ka yar yahay qiimaha dhabta ah. Haddii horudhacku uu habeeyo oo uu u gudbiyo codsiga si waafaqsan "Content-Length" oo dhabarku uu sugayo in xannibaadda la dhammaystiro iyadoo lagu saleynayo "Transfer-Encoding: chunked", markaas dhammaadka xogta ku salaysan "Transfer-Encoding: chunked" hore loo go'aamin oo dabada hadhay ee codsiga weeraryahanku waxa uu ahaan doonaa bilowga codsiga soo socda, i.e. Weeraryahanku wuxuu awood u yeelan doonaa inuu ku lifaaqo xogta aan sabab lahayn bilowga codsiga qof kale la gudbiyo marka xigta.
Si loo go'aamiyo dhibaatada ka jirta isku dhafka hore ee la isticmaalay, waxaad codsi sidan oo kale ah ugu diri kartaa dhinaca hore:
POST/ku saabsan HTTP/1.1
Martigeliyaha: example.com
Wareejinta-Encoding: la jarjaray
Mawduuca-Length: 4
1
Z
Q
Dhibaatadu way jirtaa haddii dhabarka dambe aanu isla markiiba ka shaqayn codsiga oo uu sugo imaatinka xadka ugu dambeeya ee eber xogta la jarjaray. Si aad u hesho jeeg dhammaystiran
Qaadista weerarka dhabta ah waxay kuxirantahay awooda goobta la weeraray, tusaale ahaan, marka aad weerarayso codsiga shabakada Trello, waxaad bedeli kartaa bilowga codsiga (xogta bedelka sida "PUT / 1 / xubnaha / 1234 ... x = x&csrf =1234&username=testzzz&bio=cakeβ) oo dir fariin ay ku jiraan codsigii asalka ahaa ee isticmaale qolo saddexaad iyo xaqiijinta Kukiga lagu sheegay. Weerarkii saas-app.com, waxa ay u soo baxday in ay suurtagal tahay in lagu beddelo koodka JavaScript jawaabta iyada oo lagu beddelayo mid ka mid ah cabbirrada codsiga. Weerarkii redhat.com, maamule gudaha ah ayaa loo isticmaalay in lagu jiheeyo mareegaha weerarka geystay (codsi foomka "POST/search?dest=../assets/idx?redir=//)[emailka waa la ilaaliyay]/ HTTP/1.1").
Isticmaalka habka shabakadaha gudbinta nuxurka waxay suurtogal ka dhigtay in si fudud loo beddelo goobta la codsaday iyadoo lagu beddelayo madaxa "Host:" Weerarka waxa kale oo loo isticmaali karaa in lagu sumeeyo waxa ku jira hababka kaydinta macluumaadka iyo soo saarida xogta sirta ah ee la kaydiyay. Meesha ugu saraysa ee habku waxay ahayd abaabulka weerarka PayPal, kaas oo suurtageliyay in la dhexgalo furaha sirta ah ee isticmaalayaashu soo direen inta lagu guda jiro xaqiijinta (codsiga iframe waa la beddelay si loo fuliyo JavaScript ee macnaha guud ee bogga paypal.com/us/gifts, waayo, kaas oo CSP (Siyaasadda Amniga Maaddada) aan lagu dabaqin).
Waxa xiiso leh in 2005 ay jirtay
Source: opennet.ru