Rails的InvalidCrossOriginRequest [英] Rails InvalidCrossOriginRequest
问题描述
我在Rails应用程序的页面上有一个 remote:true
链接,该链接调用同一页面的 .js
版本,然后运行脚本来更新页面内容就位.
I have a remote: true
link on a page in my Rails app which calls a .js
version of the same page and then runs a script to update the pages content in place.
工作正常,但是从昨天开始,我现在收到安全警告:嵌入式< script>另一个网站上的标记请求了受保护的JavaScript.如果您知道自己在做什么,请继续对此操作禁用伪造保护,以允许跨源JavaScript嵌入.
每次我单击这些链接之一时.
It was working fine but since yesterday I now get Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
everytime I click one of those links.
关于如何阻止这种情况的任何想法?
Any ideas on how I can stop this?
推荐答案
将其添加到呈现页面片段的控制器中
Add this to the controller that is rendering your page fragment
class FooController < ApplicationController
protect_from_forgery except: :index
index
是要跳过此保护的操作的名称
Where index
is the name of the action you wanna skip this protection
您得到的错误是由于所谓的跨域策略.这是每个浏览器中都存在的标准,不允许页面运行其他域中的脚本.解决此问题的方法是在http请求中添加标头,以使您的内容可以在其他域中运行.
The error you were getting is because of what is called Cross-Origin policy. It's a standard present in every browser that don't allow a page to run scripts from other domains. The way to go around this is adding a header to the http request allowing your content to be run in other domains.
维基百科对此有一个解释:
Wikipedia has an explanation for this:
放松同源政策的第二种技术是以跨源资源共享的名称进行标准化.这个标准通过新的Origin请求标头和新的HTTP扩展了HTTPAccess-Control-Allow-Origin响应标头.它允许服务器使用标头明确列出可能请求文件或使用的来源通配符,并允许任何站点请求文件.浏览器如作为Firefox 3.5,Safari 4和Internet Explorer 10使用此标头来允许使用XMLHttpRequest的跨域HTTP请求否则原产地政策将禁止使用该产品.
The second technique for relaxing the same-origin policy is standardized under the name Cross-Origin Resource Sharing. This standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Origin response header. It allows servers to use a header to explicitly list origins that may request a file or to use a wildcard and allow a file to be requested by any site. Browsers such as Firefox 3.5, Safari 4 and Internet Explorer 10 use this header to allow the cross-origin HTTP requests with XMLHttpRequest that would otherwise have been forbidden by the same-origin policy.
http://en.wikipedia.org/wiki/Same-origin_policy
这篇关于Rails的InvalidCrossOriginRequest的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!