django:csrf_token在单个页面上包含多种形式和ajax请求 [英] django: csrf_token for multiple forms and ajax requests on a single page

问题描述

我的网站只有一个页面，其中包含2个表单和3个基于Ajax的POST调用.我已经在其中一种形式中使用了csrf_token.另外，为了能够执行csrf安全的ajax调用，我使用的是官方文档中发布的指南: https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/和此博客: https://realpython.com/blog/python/django-and-ajax-form-submissions/

My website has a single page with 2 forms and 3 ajax-based POST calls. I have used csrf_token in one of the forms. Also, to be able to perform csrf-safe ajax calls, I am using the guidelines posted on the official documentation: https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/ and this blog: https://realpython.com/blog/python/django-and-ajax-form-submissions/

根据建议，使用以下代码 https://gist.github.com/broinjc/db6e0ac214c355c887e5 在我的JavaScript文件中，看来我能够执行POST请求而没有任何问题.

As suggested, by using this peice of code https://gist.github.com/broinjc/db6e0ac214c355c887e5 in my javascript file, it seems I am able to perform POST requests without any problems.

问题:

1. 在其中一种形式中使用csrf_token以及javascript代码(如上所述)是否足以确保csrf伪造?我应该以第二种形式使用csrf_token吗?
2. 如本SO帖子中所述生成CSRF令牌对于单个页面上的多种形式，似乎使用相同的令牌应该没问题.但是，为了清楚起见，我以我的第一种形式使用{% csrf_token %}，而不是帖子中提到的隐藏字段.我在第二种形式中没有使用任何csrf_token.
3. 我应该为我的ajax调用做些额外的事情还是可以吗?
4. 有没有办法检查views.py函数的调用是否是csrf安全?

1. Is using csrf_token in one of the forms along with the javascript code (mentioned above) sufficient to ensure csrf forgery? Should I be using csrf_token in the second form?
2. As suggested in this SO post Generating CSRF tokens for multiple forms on a single page it seems using same token should be fine. However, just to be clear, I am using {% csrf_token %} in my first form and not a hidden field as mentioned in the post. And I am not using any csrf_token in my second form.
3. Should I be doing anything extra for my ajax calls or are they fine?
4. Is there a way to check in views.py function that the call is csrf safe?

如果您需要更多信息，请告诉我，我很乐意进一步阐述.

Let me know if you need more information and I will be happy to elaborate further.

推荐答案

是否以一种形式使用csrf_token以及javascript代码(上述)足以确保csrf伪造?我可以做 在第二种形式中使用csrf_token吗?

Is using csrf_token in one of the forms along with the javascript code (mentioned above) sufficient to ensure csrf forgery? Should I be using csrf_token in the second form?

我希望不是;)在Django中启用CsrfViewMiddleware足以确保 against 跨站点请求伪造保护您的视图.如果使用两个单独的HTML表单(两个<form></form>标记)，则两个表单都需要具有隐藏的CSRF令牌字段.如果在单个form标签中使用两个Django表单，则只需一次.

I hope not ;) Enabling the CsrfViewMiddleware in Django is sufficient to ensure that your views are protected against cross-site request forgery. If you use two separate HTML forms (two <form></form> tags), both forms need to have a hidden CSRF token field. If you use two Django forms in a single form tag, you only need it once.

如果该javascript代码段将随任何请求发送令牌，而不仅仅是AJAX请求，则您只需要令牌一次，但我不相信它需要，因此您需要每种HTML形式的令牌.

If that javascript snippet would send the token with any request, not just AJAX requests, you would only need the token once, but I don't believe it does, so you need it in each HTML form.

如本SO文章中所建议，为多个生成CSRF令牌 在单个页面上的表单似乎使用相同的标记应该没问题. 但是，为了清楚起见，我在第一次使用{％csrf_token％} 表单，而不是帖子中提到的隐藏字段.我不是 在我的第二种形式中使用任何csrf_token.

As suggested in this SO post Generating CSRF tokens for multiple forms on a single page it seems using same token should be fine. However, just to be clear, I am using {% csrf_token %} in my first form and not a hidden field as mentioned in the post. And I am not using any csrf_token in my second form.

{% csrf_token %}标记会为您创建一个隐藏字段，因此实质上 are 是您使用隐藏字段.

The {% csrf_token %} tag creates a hidden field for you, so essentially you are using a hidden field.

我应该为ajax调用做些额外的事情吗?还是可以?

Should I be doing anything extra for my ajax calls or are they fine?

您包含的javascript在每个AJAX请求中都将标头设置为CSRF令牌的值.此标题替换通常由表单中的隐藏字段发送的帖子数据.您通过jQuery发送的任何AJAX调用都将具有此标头，而您无需执行其他任何操作.

The javascript you included sets a header to the value of the CSRF token on every AJAX request. This header replaces the post data that is usually sent by the hidden field in a form. Any AJAX calls you send through jQuery will have this header, you won't need to do anything else.

有没有一种方法可以检查views.py函数中该调用是csrf安全的?

Is there a way to check in views.py function that the call is csrf safe?

并非如此.只要启用了CsrfViewMiddleware并且不使用csrf_exempt装饰器，您的视图就会受到保护.如果调用不安全，则中间件将在请求甚至到达视图之前返回403 Forbidden响应.

Not really. As long as you have the CsrfViewMiddleware enabled and you're not using the csrf_exempt decorator, your view is protected. If the call is unsafe, the middleware will return a 403 Forbidden response before the request even reaches the view.

这篇关于django:csrf_token在单个页面上包含多种形式和ajax请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！