Django-CSRF验证失败-将数据从静态网站上的表单发送到我的Django应用 [英] Django - CSRF verification failed - send data from form on static website to my django app

问题描述

我的设置:

• 通过aws S3服务的静态网站作为登录页面 (welcome.mydomain.com).
• django应用程序(带有python 2.7的django-1.8) 可通过子域(app.mydomain.com)访问.

• A static website as landing page served via aws S3 (welcome.mydomain.com).
• A django app (django-1.8 with python 2.7) accessible via a subdomain (app.mydomain.com).

我想添加一个联系表，该表是我的静态网站的一部分，并将联系表信息发送到我的django服务器进行处理. 我不想将联系表单作为模板添加到django应用程序中，因为我使用的是不同的样式表和资源，并且不想在服务器之间混合使用. 处理表单数据的视图只是将这些数据添加到电子邮件中，然后将其发送到内部电子邮件地址.

I would like to add a contact form which is part of my static website and which sends the contact form info to my django server to be processed. I do not want to add the contact form as a template to my django app because I am using different style sheets and resources and don't want to mix them between the servers. The view processing the form data is just adding this data to an email and sending this to an internal email address.

我收到403 csrf验证失败的错误，因为表单不包含csrf令牌.

I get a 403 csrf verification failed error because the form does not include the csrf token.

我现在可以从csrf验证中免除接收到请求的视图，但是我不确定这会带来哪些安全风险.

I could now exempt the view receiving the request from the csrf verification but I am not sure which security risks this poses.

我不确定我是否不了解csrf的攻击和危险，或者我是否以错误的方式看待此问题.到目前为止，我所有的搜索以及django-csrf相关问题的所有答案都对我没有帮助.

I am not sure if I am not understanding the csrf attacks and dangers or if I am looking at this problem the wrong way. All my searches and all the answers to django-csrf related questions have not helped me so far.

这是我的问题:

• 是否有更好的方法来解决此问题?
• 我可以在不增加任何安全风险的情况下使用csrf_exempt吗(例如，通过进行额外的验证)?

推荐答案

您可以动态添加CSRF令牌，这是用于Ajax请求的技术.来自 https://docs.djangoproject.com/en/1.11/ref/csrf/:

You can dynamically add a CSRF token, which is a technique used for ajax requests. From https://docs.djangoproject.com/en/1.11/ref/csrf/:

/**
 * getCookie gets a cookie called 'name' in the current session
 * @param name name of the cookie to get
 * @returns value of the cookie requested, null if not found
 */
function getCookie(name) {
    var cookieValue = null;
    if (document.cookie && document.cookie !== '') {
        var cookies = document.cookie.split(';');
        for (var i = 0; i < cookies.length; i++) {
            var cookie = jQuery.trim(cookies[i]);
            // Does this cookie string begin with the name we want?
            if (cookie.substring(0, name.length + 1) === (name + '=')) {
                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                break;
            }
        }
    }
    return cookieValue;
}

var csrftoken = getCookie('csrftoken');

function csrfSafeMethod(method) {
    // these HTTP methods do not require CSRF protection
    return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}

/**
 * When doing posts, deletes, etc. we need to transmit the CSRF cookie for
 * the request to go through properly, so add the cookie to all ajax calls
 * that need the cookie.
 */
$.ajaxSetup({
    beforeSend: function (xhr, settings) {
        if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
            xhr.setRequestHeader("X-CSRFToken", csrftoken);
        }
    }
});

然后您可以在表单上单击提交"，通过ajax调用发布表单数据，然后重定向到下一页.

You can then make the 'submit' click on your form post the form data via an ajax call, followed by a redirect to the next page.

这篇关于Django-CSRF验证失败-将数据从静态网站上的表单发送到我的Django应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！