发布与AngularJs请求时CSRF的Cookie没有设置 - Django的后端 [英] CSRF Cookie not set when posting request with AngularJs - Django Backend

问题描述

我在建设有angularjs和Django的web应用程序，我通过Ajax请求提交表单。

I'm building a web app with angularjs and django and I'm submitting form via Ajax request.

我的问题是与张贴角（NG-文件上传precisely）的Ajxa请求时，由Django的预期csrfmiddlewaretoken未设置。

My problem is that when posting an Ajxa request with angular (ng-file-upload precisely) the csrfmiddlewaretoken expected by django is not set.

从我的角度上的文档和其他论坛我结束了以下配置。讲座

From my lectures on angular documentation and other forums I ended up with the following configuration.

在角的配置部分：

$httpProvider.defaults.xsrfCookieName = 'csrftoken';
$httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken';
$httpProvider.defaults.withCredentials = true;

在我的控制器中的code发送的请求是：

and in my controller the code for sending the request is :

Upload.upload({
                url: 'http://localhost:8000/image',
                headers: {
                  'X-CSRFToken': $cookies['csrftoken']
                },
                data: {file: file}
            })

使用了code发送请求具有以下标题：

With that code the request send has the following headers :

Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4,de;q=0.2,fi;q=0.2
Connection:keep-alive
Content-Length:16582
Content-Type:multipart/form-data; boundary=----WebKitFormBoundarybWo821vSwcejTATP
Cookie:csrftoken=bC2UpXurGXAg3AUZgSqMVlUs8TKfussS
Host:localhost:8000
Origin:http://127.0.0.1:8000
Referer:http://127.0.0.1:8000/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
X-CSRFToken:UeSt4LoqgU9L28JQBdVbS2IJJXOMQK6n

然而，对于Django的是能够正确地处理CSRF保护下面的头是缺少

However for django to be able to handle csrf protection correctly the following header is missing

Cookie:_ga=GA1.1.1358238168.1447425523; XSRF-TOKEN=zWIM6q7O2Nz3PLm8TMUJSLFVRF8bKUbr; csrftoken=UeSt4LoqgU9L28JQBdVbS2IJJXOMQK6n

到目前为止，尽管已经看过很多论坛关于这个主题来设置这个头我没有管理。如果我试着通过设置它编程方式：

So far and despite having seen a lot of forums about this topic I didn't manage to set this header. if I try to set it programmatically via :

Upload.upload({
                url: 'http://localhost:8000/image',
                headers: {
                  'Cookie': 'csrftoken='+$cookies['csrftoken']
                },
                data: {file: file}
            })

我结束了以下错误在我的控制台：

I end up with the following error in my console :

Refused to set unsafe header "Cookie"

我的问题是真的如何配置从客户端的cookie头。我的Django code是罚款。

My problem is really how to configure the cookie header from the client side. My django code is fine.

我一直在挣扎与此相当一段时间。任何帮助将是AP preciated！谢谢

I have been struggling with this for quite a time now. Any help would be appreciated ! Thanks

推荐答案

如果您在csrftoken添加到客户端头： {'X-CSRFToken'：$饼干['csrftoken']} 意味着你的客户是最有可能准备好了，但是对于安全问题，如果你从外部应用程序的Django API交互他仍然会阻止返回的不安全头曲奇<请求/ STRONG>。
试试下面的配置，以允许在你的应用程序中的跨站点请求：

If you added in the csrftoken to client headers: {'X-CSRFToken': $cookies['csrftoken']} means your client is most probably ready, but for security matter if you interact with django api from external application he will still block the request returning unsafe header "Cookie". try the following configuration to allow the cross site request over your app:

pip install django-cors-headers

然后将其添加到您的应用程序安装在 settings.py

INSTALLED_APPS = (
...
'corsheaders',
...
)

您还需要添加一个中间件类来偷听的响应，并确保你尊重的顺序如下：

You will also need to add a middleware class to listen in on responses and make sure you respect the order as follow:

MIDDLEWARE_CLASSES = (
...
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
...
)

和最后添加此设置变量：

and finally add this settings variable:

CORS_ORIGIN_ALLOW_ALL = True

这应该是足够的，但更多的自定义配置，您可以检查的Django-CORS-头

This should be enough but for more customized configuration you can check django-cors-headers

这篇关于发布与AngularJs请求时CSRF的Cookie没有设置 - Django的后端的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！