Ajax 为什么Twitter API授权数据可以通过GET或POST参数而不是HTTP头发送?
我在Greasemonkey脚本中使用oauth.js和sha1.js:Ajax 为什么Twitter API授权数据可以通过GET或POST参数而不是HTTP头发送?,ajax,oauth,http-headers,twitter,Ajax,Oauth,Http Headers,Twitter,我在Greasemonkey脚本中使用oauth.js和sha1.js: // ==UserScript== // @name twitter_api // @namespace twitter // @include * // @version 1 // @require http://oauth.googlecode.com/svn/code/javascript/oauth.js // @require http://pajhome.org.uk/cryp
// ==UserScript==
// @name twitter_api
// @namespace twitter
// @include *
// @version 1
// @require http://oauth.googlecode.com/svn/code/javascript/oauth.js
// @require http://pajhome.org.uk/crypt/md5/sha1.js
// ==/UserScript==
var url = "https://api.twitter.com/1.1/statuses/update.json";
var accessor = {
token: "XXX",
tokenSecret: "XXX",
consumerKey : "XXX",
consumerSecret: "XXX"
};
var message = {
action: url,
method: "POST",
parameters: {status: "apitest"}
};
OAuth.completeRequest(message, accessor);
OAuth.SignatureMethod.sign(message, accessor);
var authorization = "OAuth oauth_consumer_key=\"" + encodeURIComponent(OAuth.getParameterMap(message.parameters).oauth_consumer_key) + "\""
+ ", oauth_nonce=\"" + encodeURIComponent(OAuth.getParameterMap(message.parameters).oauth_nonce) + "\""
+ ", oauth_signature=\"" + encodeURIComponent(OAuth.getParameterMap(message.parameters).oauth_signature) + "\""
+ ", oauth_signature_method=\"HMAC-SHA1\""
+ ", oauth_timestamp=\"" + encodeURIComponent(OAuth.getParameterMap(message.parameters).oauth_timestamp) + "\""
+ ", oauth_token=\"" + encodeURIComponent(OAuth.getParameterMap(message.parameters).oauth_token) + "\""
+ ", oauth_version=\"1.0\"";
将授权标头与POST请求一起使用:
GM_xmlhttpRequest({
method: "POST",
url: url,
data: "status=apitest",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": authorization
},
onload: function(response) {
alert(response.responseText);
}
});
GM_xmlhttpRequest({
method: "POST",
url: url + '?' + OAuth.formEncode(message.parameters),
onload: function(response) {
alert(response.responseText);
}
});
GM_xmlhttpRequest({
method: "POST",
url: url,
data: OAuth.formEncode(message.parameters),
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
onload: function(response) {
alert(response.responseText);
}
});
仅对POST请求使用GET参数:
GM_xmlhttpRequest({
method: "POST",
url: url,
data: "status=apitest",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": authorization
},
onload: function(response) {
alert(response.responseText);
}
});
GM_xmlhttpRequest({
method: "POST",
url: url + '?' + OAuth.formEncode(message.parameters),
onload: function(response) {
alert(response.responseText);
}
});
GM_xmlhttpRequest({
method: "POST",
url: url,
data: OAuth.formEncode(message.parameters),
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
onload: function(response) {
alert(response.responseText);
}
});
仅对POST请求使用POST参数:
GM_xmlhttpRequest({
method: "POST",
url: url,
data: "status=apitest",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": authorization
},
onload: function(response) {
alert(response.responseText);
}
});
GM_xmlhttpRequest({
method: "POST",
url: url + '?' + OAuth.formEncode(message.parameters),
onload: function(response) {
alert(response.responseText);
}
});
GM_xmlhttpRequest({
method: "POST",
url: url,
data: OAuth.formEncode(message.parameters),
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
onload: function(response) {
alert(response.responseText);
}
});
当Twitter明确表示必须发送授权头时,为什么这3个AJAX请求可以工作?
如果GET、POST和HTTP头授权都被接受,为什么我更喜欢HTTP头,它更安全还是因为它是一个API调用而不重要