hx-headershx-headers 属性允许你添加到将随 AJAX 请求提交的标头。
¥The hx-headers attribute allows you to add to the headers that will be submitted with an AJAX request.
默认情况下,此属性的值是 JSON(JavaScript 对象表示法) 格式的名称表达式值列表。
¥By default, the value of this attribute is a list of name-expression values in JSON (JavaScript Object Notation) format.
如果你希望 hx-headers 评估给定的值,则可以在值前加上 javascript: 或 js:。
¥If you wish for hx-headers to evaluate the values given, you can prefix the values with javascript: or js:.
<div hx-get="/example" hx-headers='{"myHeader": "My Value"}'>Get Some HTML, Including A Custom Header in the Request</div>
<div hx-get="/example" hx-headers='js:{myVal: calculateValue()}'>Get Some HTML, Including a Dynamic Custom Header from Javascript in the Request</div>
¥Security Considerations
默认情况下,hx-headers 的值必须是有效的 JSON。它不是动态计算的。如果你使用 javascript: 前缀,请注意你正在引入安全注意事项,特别是在处理用户输入(例如查询字符串或用户生成的内容)时,这可能会引入 跨站点脚本 (XSS) 漏洞。
¥By default, the value of hx-headers must be valid JSON.
It is not dynamically computed. If you use the javascript: prefix, be aware that you are introducing
security considerations, especially when dealing with user input such as query strings or user-generated content,
which could introduce a Cross-Site Scripting (XSS) vulnerability.
虽然 hx-headers 属性远非 跨站点请求伪造 的万无一失的解决方案,但它可以支持后端服务以提供 CSRF 预防。有关更多信息,请参阅 CSS 预防 部分。
¥Whilst far from being a foolproof solution to Cross-Site Request Forgery, the hx-headers attribute can support backend services to provide CSRF prevention. For more information see the CSRF Prevention section.
¥Notes
hx-headers 是继承的,可以放在父元素上。
¥hx-headers is inherited and can be placed on a parent element.
标头的子声明覆盖父声明。
¥A child declaration of a header overrides a parent declaration.