JSONP request lost its referer header in 3.31

336
0
06-09-2021 08:30 PM
佑刘
by
New Contributor

when i add a layer to map, i found the JSONP request lost its referer header,this may cause some problems.

the referer header is useful in our project.

and i have debugged  the  lastest version(3.31) like this:

佑刘_0-1623295397091.png

so i have some test:

 

<html>
<body>
</body>
<script>
  var h =
    '\x3c!DOCTYPE html\x3e ' +
    '\x3chtml\x3e ' +
    '	\x3cmeta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src * \'unsafe-inline\'"\x3e ' +
    '\x3chead\x3e ' +
    '	\x3cscript\x3e ' +
    '		var url2 = \'https://sampleserver6.arcgisonline.com/arcgis/rest/services/SampleWorldCities/MapServer\'; ' +
    '		var f = document.createElement("script"); ' +
    '		f.type = "text/javascript"; ' +
    '		f.src=url2; ' +
    '		f.async = !0; ' +
    '		f.charset = "utf-8"; ' +
    '		document.getElementsByTagName("head")[0].appendChild(f); ' +
    '	\x3c/script\x3e ' +
    '\x3c/head\x3e ' +
    '\x3cbody\x3e ' +
    '\x3c/body\x3e ' +
    '\x3c/html\x3e'
  var a = document.createElement("iframe");
  a.name = "esri_core_jsonp_iframe";
  a.style.display = "none";
  // referer has lost in request header if add this line
  a.setAttribute("sandbox", "allow-scripts");
  a.srcdoc = h
  document.body.appendChild(a);

  var a2 = document.createElement("iframe");
  a2.name = "esri_core_jsonp_iframe2";
  a2.style.display = "none";
  // i think this request header is nomal
  // a2.setAttribute("sandbox", "allow-scripts");
  a2.srcdoc = h
  document.body.appendChild(a2);
</script>

</html>

 

this function can run normal if don't add the "sandbox" attribute ,so why do you add the "sandbox" attribute? please let me kown,thank you!

0 Kudos
0 Replies