我建立了同时使用HTTP内容和HTTP头发送和接收数据的AJAX应用程序。是否有一个点，从HTTP头接收到的数据将不会被浏览器阅读，因为它太大了？如果是的话，什么是限制，是它在所有的浏览器相同的行为？

I am building an AJAX application that uses both HTTP Content and HTTP Header to send and receive data. Is there a point where the data received from the HTTP Header won't be read by the browser because it is too big ? If yes, what is the limit and is it the same behaviour in all the browser ?

我知道，理论上是没有限制的HTTP标头的大小，但在实践有什么意义，过去的是，我可以在一定的平台，浏览器或安装了某个软件问题上的客户端计算机或机器。我更期​​待在引导线使用HTTP标头的安全技术。换句话说，到什么扩展可以HTTP标头被用于发送额外的数据，而不必进入行潜在的问题？

I know that theoretically there is no limit to the size of HTTP headers, but in practice what is the point that past that, I could have problem under certain platform, browsers or with certain software installed on the client computer or machine. I am more looking into a guide-line for safe practice of using HTTP headers. In other word, up to what extend can HTTP headers be used for transmitting additional data without having potential problem coming into the line ?

感谢，对所有输入这个问题，这是非常AP preciated和有趣。托马斯的回答得到了赏金，但Jon汉娜的回答提出了一个非常好的问题有关代理。

Thanks, for all the input about this question, it was very appreciated and interesting. Thomas answer got the bounty, but Jon Hanna's answer brought up a very good point about the proxy.

推荐答案

在实践中，虽然有规则从没有通过一定的头（实际上，相当明确的规则上，可以进行修改和prohibitting代理人甚至如何通知代理它是否可以修改由以后标准添加了新的报头），这仅适用于透明的代理，而不是所有的代理都是透明的。特别是一些擦头，他们不明白作为一个深思熟虑的安全做法。

In practice, while there are rules prohibitting proxies from not passing certain headers (indeed, quite clear rules on which can be modified and even on how to inform a proxy on whether it can modify a new header added by a later standard), this only applies to "transparent" proxies, and not all proxies are transparent. In particular, some wipe headers they don't understand as a deliberate security practice.

此外，在实践中做一些行为不端（虽然事情要好得多比他们）。

Also, in practice some do misbehave (though things are much better than they were).

因此​​，很明显的核心报头之外，你可以依靠从服务器到客户端传递报头信息的数目是零。

So, beyond the obvious core headers, the amount of header information you can depend on being passed from server to client is zero.

这只是原因之一，为什么你不应该依赖于使用的头好（例如，是ppared客户端重复的东西请求$ P $它应该缓存，或让服务器发送整个实体当你请求一个范围），除非在身份验证头明显的情况下（故障到安全的原则）。

This is just one of the reasons why you should never depend on headers being used well (e.g., be prepared for the client to repeat a request for something it should have cached, or for the server to send the whole entity when you request a range), barring the obvious case of authentication headers (under the fail-to-secure principle).