使用CSRF_COOKIE_HTTPONLY将Django CSRF令牌传递给Angular [英] Pass Django CSRF token to Angular with CSRF_COOKIE_HTTPONLY
问题描述
在Django中,当CSRF_COOKIE_HTTPONLY设置设置为True时,CSRF cookie将获得httponly标志,这从安全角度来看是理想的,但是却破坏了将cookie添加到httpProvider的标准角度解决方案,如下所示:/p>
In Django, when the CSRF_COOKIE_HTTPONLY setting is set to True, the CSRF cookie gains the httponly flag, which is desirable from a security perspective, but breaks the standard angular solution of adding this cookie to the httpProvider like so:
$httpProvider.defaults.xsrfCookieName = 'csrftoken';
$httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken';
通过Django 1.9,有一种解决方法,您可以通过将cookie放置在模板中直接将cookie直接传递给应用程序:
Through Django 1.9, there was a workaround where you could just pass the cookie directly to the app by putting this in the template:
<script>
window.csrf_token = "{{ csrf_token }}";
</script>
并将其放入有角度的应用程序中:
And putting this in the angular app:
angularApp.config(["$httpProvider", function($httpProvider) {
$httpProvider.defaults.headers.common["X-CSRFToken"] = window.csrf_token;
}]
不幸的是,这不适用于Django 1.10+中的单页角度应用程序,因为CSRF cookie在每次请求后都会更改.启用CSRF_COOKIE_HTTPONLY设置时,如何从Angular向Django 1.10+发出发布请求?
注意:不能接受CSRF保护.
Unfortunately, this doesn't work for single page angular apps in Django 1.10+ since the CSRF cookie changes after every request. How do you make post requests from Angular to Django 1.10+ with the CSRF_COOKIE_HTTPONLY setting on?
NB: Disabling CSRF protection is not an acceptable answer.
推荐答案
我认为这个问题在本次讨论中得到了很好的回答.
I think this question was answered well in this discussion.
https://groups.google.com/forum/# !topic/django-developers/nXjfLd8ba5k
https://code.djangoproject.com/ticket/27534
CSRF_COOKIE_HTTPONLY不为单页应用程序提供任何其他安全性.有些人推荐这种解决方案
CSRF_COOKIE_HTTPONLY does not provide any additional security for single page apps. Some people reccomended this solution
var csrftoken = getCookie('csrftoken');
if (csrftoken === null) {
csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
if (csrftoken === null) {
console.log('No csrf token');
}
}
但是,或者如果您为应用程序完全公开了csrftoken,则没有什么可以阻止恶意用户使用它.如果您正在运行一个单页面应用程序,则最好将CSRF_COOKIE_HTTPONLY = False设置为,按以下注释:
however either or if you are exposing csrftoken for your app restfully nothing stops the malcious user from taking it and using it as well. If you are running a single page app you might as well set CSRF_COOKIE_HTTPONLY=False, As per comment bellow:
Gavin Wahl 15年5月4日
Gavin Wahl 5/4/15
如何?您不能只是从不同的域Ajax获取内容.
How so? You cannot just ajax-fetch stuff from different domains.
我说的是一个域.在页面上注入了javascript 不包含CSRF令牌可以在同一页面上获取其他页面 域来获取它.
I'm talking about a single domain. Injected javascript on a page that doesn't contain the CSRF token can fetch a different page on the same domain to get it.
如果您已经将JavaScript注入受害者页面(XSS),则无需获取CSRF令牌,那么您已经获得了更大的控制权.
If you already injected javascript onto the victims page (XSS) there is no need to fetch the CSRF token, you already got greater control.
好吧,HttpOnly标志旨在减少攻击者的损失 一旦可以注入javascript就可以执行.但我同意-隐藏 来自javascript的CSRF令牌不会以任何方式提高安全性, 但文档表明确实如此.我想在 说明此设置没有任何意义的文档.
Well, the HttpOnly flag is intended to reduce the damage an attacker can do once the already can inject javascript. But I agree -- hiding the CSRF token from javascript doesn't increase security in any way, but the documentation implies it does. I want to make it clear in the documentation that this setting has no meaningful effect.
如果您仍然认为那里有一个有效的攻击媒介,请将其发送至secu ... @ djangoproject.com并添加更多说明.
If you still think you have a valid attack vector there, please send it to secu...@djangoproject.com and add a bit more explanation.
没有攻击媒介.这只是误导 文档.
There is no attack vector. This is just about misleading documentation.
这篇关于使用CSRF_COOKIE_HTTPONLY将Django CSRF令牌传递给Angular的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
