为 json rails 调用禁用 csrf 令牌是否安全? [英] security safe to disable csrf tokens for json rails calls?

问题描述

我有一个现有的 rails 后端网站，可以对服务器进行 json 调用.现在，我正在开发一个移动 iOS 应用程序以使用相同的后端并在 json 中发送调用.但是，移动请求失败:

I have an existing rails backend website which makes json calls to server. Now,I am developing a mobile iOS app to use the same backend and send calls in json. However, mobile requests are failing with:

WARNING: Can't verify CSRF token authenticity

在 stackoverflow 中搜索，许多人建议使用以下内容禁用对 json 调用的 csrf 检查:

Searching around stackoverflow, many suggested to disable csrf checks for json calls by using something like this:

# Or this in your application_controller.rb
def verified_request?
  if request.content_type == "application/json"
    true
  else
    super()
  end
end

但我的问题是，我不明白这如何防止 json 格式的 csrf 攻击?攻击者始终可以从他们的站点向我们的端点发送 json 请求.任何人都有这方面的见解?我找不到任何明确的答案.

But my question is , I dont understand how does this prevent csrf attacks in json format? Attacker can always send a json request to our endpoint from their site. Anyone has insights into this? I couldn't find any clear answer to this.

推荐答案

你所描述的很容易使用 Flash:

What you are describing is very easy to exploit using Flash:

        var request:URLRequest = new URLRequest("http://stackoverflow.com"); 
        request.requestHeaders.push(new URLRequestHeader('Content-Type', 'application/json'));      
        request.data = unescape('{"a":1,"b":{"c":3}}');
        request.method = URLRequestMethod.POST;
        navigateToURL(request, '_blank');   

如果您查看 CSRF 预防备忘单，您可以查看推荐人以确保它来自您信任的域.如果引用者为空，则它可能源自 https url，因此应将其视为失败.依赖 Ruby 的 CSRF 令牌是一种更强大的 CSRF 保护.

If you look at the CSRF prevention cheat sheet you can check the referer to make sure its from a domain you trust. If the referer is blank then it could be originating from a https url, so that should be considered a failure. Relying on Ruby's CSRF token is a stronger form a CSRF protection.

这篇关于为 json rails 调用禁用 csrf 令牌是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！