Rails要求伪造保护设置 [英] Rails request forgery protection settings

问题描述

请在Rails中帮助新手:)我有protect_from_forgery调用(默认情况下给出)，而我的ApplicationController类中没有任何属性.

please help a newbie in Rails :) I have protect_from_forgery call (which is given by default) with no attributes in my ApplicationController class.

基本上这是代码:

class ApplicationController < ActionController::Base
  helper :all # include all helpers, all the time
  protect_from_forgery
  helper_method :current_user_session, :current_user
  filter_parameter_logging :password, :password_confirmation

我认为它应该做的是:它应阻止没有正确authenticity_token的任何POST请求.但是，当我使用下面的jQuery发送发布请求时，它可以正常工作(在数据库中执行了update语句)！

What I assume it should do is: it should prevent any POST requests without correct authenticity_token. But when I send post request with jQuery like the one below, it works fine (there's update statement that is executed in the database)!

$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });

我在控制台中看到，发送的参数中没有authenticity_token，但是请求仍然被认为是有效的.为什么会这样?

I see in console that there's no authenticity_token among sent parameters, but request is still considered valid. Why is that?

UPD 在config/environments/development.rb

UPD Found config setting in config/environments/development.rb

config.action_controller.consider_all_requests_local = true

由于DEV环境和本地请求，这些jQuery发布请求是可以的.

Because of the DEV environment and local requests, these jQuery post requests were OK.

推荐答案

只要从应用程序内部执行请求$.post($(this).attr("href"), { _method: "PUT", data: { test: true } });，您的代码就没有问题.如果您在其他地方运行了另一个应用程序，例如在localhost:3001上说，并且您从那里发送了一条信息，那么它将无法正常工作.实际上，如果您使用的是firefox> 3.0，它也可以早期实现跨站点xhr.例如，您可以从任何其他站点发送POST(但是，在Protect_from_forgery已关闭的情况下，此方法有效！). xhr不需要身份验证令牌的原因是跨站点xhr被禁用.因此，无需提供身份验证令牌即可使用xhr是安全的.如果您尝试从您的应用程序以外的其他任何地方尝试，我相信它将引发请求身份验证令牌的异常.另外，您还应该定义一个crossdomain.xml，以防止来自外部源的访问.

There is nothing wrong with your code as long as the request $.post($(this).attr("href"), { _method: "PUT", data: { test: true } }); is executed from within the app itself. If you had another app running elsewhere, say for example on localhost:3001, and you sent a post from there then it won't work. Infact if you are on firefox > 3.0 it has an early implementation of cross site xhr too. For example you can send a POST from any other site (but this works provided protect_from_forgery is turned off!). The reason why auth token is not necessary for xhr is that cross site xhr is disabled. So it is safe to use xhr without providing auth token. If you try from any where else other than your app, i am sure it will raise an exception asking for an auth token. Also you should have a crossdomain.xml defined to prevent access from outside sources.

尝试执行此操作:curl -X -d url_endpoint_of_your_app.查看是否收到200响应码.如果这样做，那么那里有些腥.

Try doing this: curl -X -d url_endpoint_of_your_app. See if you get a 200 response code. If you do then there is something fishy.

这篇关于Rails要求伪造保护设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！