开机自检到Razor页面时出现400错误的请求 [英] 400 Bad Request when POST-ing to Razor Page
问题描述
我的页面有...
@page "{candidateId:int}"
...和
@Html.AntiForgeryToken()
模型有...
public void OnGet(int candidateId)
{
}
public void OnPost(int candidateId)
{
}
GET工作正常.这是我的AJAX请求.
GET works fine. Here is my AJAX request..
$.ajax({
type: "POST",
url: "/Skills/" + candidateId,
beforeSend: function (xhr) {
xhr.setRequestHeader("XSRF-TOKEN",
$('input:hidden[name="__RequestVerificationToken"]').val());
},
data: {
name: 'hi mum'
},
success: function (response) {
},
failure: function (response) {
alert(response);
}
});
浏览器收到无用的错误消息... 400错误的请求.
Browser receives useless error message... 400 Bad Request.
我想念什么?
推荐答案
您收到400(错误请求)响应,因为框架希望RequestVerificationToken
作为发布的请求的一部分.框架使用此框架来防止可能的CSRF攻击.如果您的请求没有此信息,则框架将返回400错误的请求.您当前的代码未发送.
You are getting a 400 (Bad Request) response because the framework expects the RequestVerificationToken
as part of the posted request.The framework uses this to prevent possible CSRF attacks. If your request does not have this information, the framework will return the 400 bad request. Your current code is not sending it.
将代码更改为此
headers:
{
"RequestVerificationToken": $('input:hidden[name="__RequestVerificationToken"]').val()
},
这会将带有键RequestVerificationToken
的新项添加到请求标头中,并且在进行调用时,框架不应抛出400响应. (假设您的视图代码为__RequestVerificationToken
隐藏输入生成了隐藏输入)
This will add a new item with key RequestVerificationToken
to the request header and the framework should not throw a 400 response when the call is made. (assuming your view code generated the hidden input for the __RequestVerificationToken
hidden input)
通过将IAntiforgery
实现注入到视图/页面并使用GetAndStoreTokens
方法,可以使代码更加健壮.
You can make the code more robust by injecting the IAntiforgery
implementation to the view/page and using the GetAndStoreTokens
method.
@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
@functions{
public string GetAntiXsrfRequestToken()
{
return Xsrf.GetAndStoreTokens(Model.HttpContext).RequestToken;
}
}
并调用此GetAntiXsrfRequestToken
函数以获取javascript中的值
and call this GetAntiXsrfRequestToken
function to get the value in your javascript
headers:
{
"RequestVerificationToken": '@GetAntiXsrfRequestToken()'
},
您可能还想使用PageModel的CandidateId
属性来创建URL.像这样
You also probably want to use the PageModel's CandidateId
property to create the url. Something like this
url: "/Skills/@Model.CandidateId",
此外,您确实需要显式调用@Html.AntiForgeryToken()
方法以生成令牌输入.拥有带post方法且没有action属性值的表单将为您生成隐藏的输入.
Also, you do need to call @Html.AntiForgeryToken()
method explicitly to generate the token input. Having a form with post method with no action attribute value will generate the hidden input for you.
<form method="post">
<!-- your inputs-->
</form>
这篇关于开机自检到Razor页面时出现400错误的请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!