为 json rails 调用禁用 csrf 令牌是否安全? [英] security safe to disable csrf tokens for json rails calls?
问题描述
我有一个现有的 rails 后端网站,可以对服务器进行 json 调用.现在,我正在开发一个移动 iOS 应用程序以使用相同的后端并在 json 中发送调用.但是,移动请求失败:
I have an existing rails backend website which makes json calls to server. Now,I am developing a mobile iOS app to use the same backend and send calls in json. However, mobile requests are failing with:
WARNING: Can't verify CSRF token authenticity
在 stackoverflow 中搜索,许多人建议使用以下内容禁用对 json 调用的 csrf 检查:
Searching around stackoverflow, many suggested to disable csrf checks for json calls by using something like this:
# Or this in your application_controller.rb
def verified_request?
if request.content_type == "application/json"
true
else
super()
end
end
但我的问题是,我不明白这如何防止 json 格式的 csrf 攻击?攻击者始终可以从他们的站点向我们的端点发送 json 请求.任何人都有这方面的见解?我找不到任何明确的答案.
But my question is , I dont understand how does this prevent csrf attacks in json format? Attacker can always send a json request to our endpoint from their site. Anyone has insights into this? I couldn't find any clear answer to this.
推荐答案
你所描述的很容易使用 Flash:
What you are describing is very easy to exploit using Flash:
var request:URLRequest = new URLRequest("http://stackoverflow.com");
request.requestHeaders.push(new URLRequestHeader('Content-Type', 'application/json'));
request.data = unescape('{"a":1,"b":{"c":3}}');
request.method = URLRequestMethod.POST;
navigateToURL(request, '_blank');
如果您查看 CSRF 预防备忘单,您可以查看推荐人以确保它来自您信任的域.如果引用者为空,则它可能源自 https url,因此应将其视为失败.依赖 Ruby 的 CSRF 令牌是一种更强大的 CSRF 保护.
If you look at the CSRF prevention cheat sheet you can check the referer to make sure its from a domain you trust. If the referer is blank then it could be originating from a https url, so that should be considered a failure. Relying on Ruby's CSRF token is a stronger form a CSRF protection.
这篇关于为 json rails 调用禁用 csrf 令牌是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!