page.user.max.fetch.size=1000
# Maximum number of role records to fetch per page.
page.role.max.fetch.size=1000
# Maximum number of group records to fetch per page.
page.group.max.fetch.size=1000
# Maximum number of crawling info parameters to fetch per page.
page.crawling.info.param.max.fetch.size=100
# Maximum number of crawling info records to fetch per page.
page.crawling.info.max.fetch.size=1000

  /**
   * The HTTP <a href="https://w3c.github.io/webappsec-fetch-metadata/">{@code Sec-Fetch-Site}</a>
   * header field name.
   *
   * @since 27.1
   */
  public static final String SEC_FETCH_SITE = "Sec-Fetch-Site";

  /**
   * The HTTP <a href="https://w3c.github.io/webappsec-fetch-metadata/">{@code Sec-Fetch-User}</a>
   * header field name.
   *
   * @since 27.1

        name: Checkout PR for own repo
        if: env.HAS_SECRETS == 'true'
        with:
          # To be able to commit it needs to fetch the head of the branch, not the
          # merge commit
          ref: ${{ github.head_ref }}
          # And it needs the full history to be able to compute diffs
          fetch-depth: 0
          # A token other than the default GITHUB_TOKEN is needed to be able to trigger CI

    /** Phase name for content retrieval */
    String PHASE_FETCH = "fetch";

    /** Phase name for answer generation */
    String PHASE_ANSWER = "answer";

    /**
     * Called when a processing phase starts.
     *
     * @param phase the phase name (e.g., "intent", "search", "evaluate", "fetch", "answer")
     * @param message a human-readable message describing what's happening
     */

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: devprod/upgrade-to-latest-wrapper
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0
      - name: Setup java
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: 17

These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:

* don't have a `Content-Type` header (e.g. using `fetch()` with a `Blob` body)
* and don't send any authentication credentials.

This type of attack is mainly relevant when:

* the application is running locally (e.g. on `localhost`) or in an internal network

## CSRF 风险 { #csrf-risk }

此默认行为在一个非常特定的场景下，可防御一类跨站请求伪造（CSRF）攻击。

这类攻击利用了浏览器的一个事实：当请求满足以下条件时，浏览器允许脚本在不进行任何 CORS 预检的情况下直接发送请求：

- 没有 `Content-Type` 头（例如使用 `fetch()` 携带 `Blob` 作为 body）
- 且不发送任何认证凭据。

这种攻击主要在以下情况下相关：

- 应用在本地（如 `localhost`）或内网中运行
- 且应用没有任何认证，假定来自同一网络的请求都可信。

## 攻击示例 { #example-attack }

假设你构建了一个本地运行的 AI 代理。

它提供了一个 API，地址为

```

name: 'Auto Assign PR to Author'
on:
  pull_request:
    types: [opened]

permissions: {}

jobs:
  add-reviews:
    permissions:
      contents: read  # for kentaro-m/auto-assign-action to fetch config file
      pull-requests: write  # for kentaro-m/auto-assign-action to assign PR reviewers
    runs-on: ubuntu-latest
    steps:

         */
        protected Queue<OpenSearchUrlQueue> crawlingQueue = new ConcurrentLinkedQueue<>();
    }

    /**
     * Sets the polling fetch size.
     * @param pollingFetchSize The polling fetch size.
     */
    public void setPollingFetchSize(final int pollingFetchSize) {
        this.pollingFetchSize = pollingFetchSize;
    }

    /**

        val response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString())
        if (response.statusCode() > 399) {
            throw RuntimeException("Failed to fetch versions from Gradle services: ${response.statusCode()} ${response.body()}")
        }
        val versions = Gson().fromJson(response.body(), Array<GradleServicesVersion>::class.java)