iframe 导致无法验证 CSRF 令牌真实性 n Rails [英] Iframe causes Can't Verify CSRF Token Authenticity n Rails
问题描述
我有一个通过 iframe 加载的 web 应用程序,使用 phonegap 2.3.0 for Windows Phone 8 SDK.通过 iframe 加载它的问题是,当我发送 $.post() 请求时,它会导致 Rails 端的 Can't verify CSRF token authencity.>
我尝试了几种方法,例如覆盖 $.post() 以使用 $.ajax() 到 setHeaderRequest令牌,还有 $.ajaxSetup()
当我禁用 protect_from_forgery 或 verify_authenticity_token 时,应用程序加载正确.
我认为问题是由于 webapp 位于另一个域(跨域问题)而引起的,而 csrf 只是试图防止点击劫持.有没有办法绕过这个问题?
以下是我发帖方式的示例:
$.post(url, {app: {played: tiles}, no: no}, function (response) {linkTo('#app_button', response['next']);});示例:
$.ajaxSetup({beforeSend:函数(xhr){xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').prop('content'));}});我已经能够将真实性令牌作为参数传递到我的帖子请求中,但出现相同的错误.我开始相信错误不是由令牌引起的.出现错误的其他原因是什么?
日志:
[2539 - 2013/03/06 15:37:42] (INFO) 参数:{"app"=>{"played"=>"tiles"},"no"=>不",authenticity_token"=>yBpUImzjtKGiejh/WCekv/GCi1zjPirib22plqfLJ1Y="}[2539 - 2013/03/06 15:37:42](警告)警告:无法验证 CSRF 令牌的真实性[2539 - 2013/03/06 15:37:42] (INFO) 用户代理:Mozilla/5.0(兼容;MSIE 10.0;Windows Phone 8.0;Trident/6.0;IEMobile/10.0;ARM;Touch;诺基亚;Lumia 920)[2539 - 2013/03/06 15:37:42] (DEBUG) 用户负载 (1.8ms) SELECT `users`.* FROM `users` WHERE `users`.`id` 为 NULL LIMIT 1[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` 是 NULL LIMIT 1[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` 是 NULL LIMIT 1[2539 - 2013/03/06 15:37:42] (WARN) 丢失会话 [118.143.97.82] (/locations/1/games) - Mozilla/5.0(兼容;MSIE 10.0;Windows Phone 8.0;Trident/6.0;IEMobile/10.0;ARM;触摸;诺基亚;Lumia 920)[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` 是 NULL LIMIT 1答案是因为没有阻止会话存储的 P3P 标头.您需要添加一个 P3P 标头来解决此问题.
I have a webapp that is loaded through an iframe using phonegap 2.3.0 for Windows Phone 8 SDK. The problem with loading it through the iframe is that it causes Can't verify CSRF token authencity on the Rails side when I send a $.post() request.
I tried a couple of approaches such as overwrite the $.post() to use $.ajax() to setHeaderRequest with the token, and also $.ajaxSetup()
When I disable protect_from_forgery or verify_authenticity_token, the app loads correctly.
I believe the problem is caused because the webapp is located in another domain (cross domain issues) and csrf is simply trying to prevent clickjacking. Is there are way to bypass this problem?
Here is an example of how I am posting:
$.post(url, {app: {played: tiles}, no: no}, function (response) {
linkTo('#app_button', response['next']);
});
Example:
$.ajaxSetup({
beforeSend: function(xhr) {
xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').prop('content'));
}
});
Edit: I have been able to pass authenticity token as a parameter into my post request with the same error. I am starting to beleive the error is not cause by the token. What are other reasons why the error occurs?
Log:
[2539 - 2013/03/06 15:37:42] (INFO) Parameters: {"app"=>{"played"=>"tiles"}, "no"=>"no", "authenticity_token"=>"yBpUImzjtKGIejh/WCekv/GCi1zjPirib22plqfLJ1Y="}
[2539 - 2013/03/06 15:37:42] (WARN) WARNING: Can't verify CSRF token authenticity
[2539 - 2013/03/06 15:37:42] (INFO) User agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
[2539 - 2013/03/06 15:37:42] (DEBUG) User Load (1.8ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2539 - 2013/03/06 15:37:42] (WARN) Lost session [118.143.97.82] (/locations/1/games) - Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
The answer is because of no P3P header which was blocking session storage. You need to add a P3P header to fix this.
这篇关于iframe 导致无法验证 CSRF 令牌真实性 n Rails的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
