Django：CSRF验证失败 [英] Django: CSRF verification failed

问题描述

我试图将一个非ssl包装的页面提交到一个ssl包装的页面，但是我收到这个错误。

  CSRF验证失败。请求中止。 
 
失败原因：
引用者检查失败 -  http：//< domain> /不匹配https：//< domain> /。 
  

也就是说，我正在尝试向登录方法提交用户名/密码页面。 >

如果没有收到此错误，我该怎么办？

感谢
ERic

解决方案

如果你认为它是安全的，这里是如何具体免除了普通视图的CSRF检查。

然而，我假设你在谈论 contrib.auth 视图，那么您可能必须编写自己的自定义版本并应用 @csrf_exempt 装饰器，而不是强制它（即，复制，粘贴，更改装饰器）上的方法 - 它不像听起来那么痛苦）。

绝对最坏的情况，大锤到裂纹坚果解决方案：强制禁用CSRF总共，对于所有视图，甚至 django.contrib。* 试图强制执行CSRF。上行是你不必黑客/ fork contrib模块;不利的是 - 没有CSRF ...

I am trying to submit a non-ssl wrapped page to an ssl wrapped page, but I get this error.

CSRF verification failed. Request aborted.

Reason given for failure:
    Referer checking failed - http://<domain>/ does not match https://<domain>/.

That is, I am trying to submit a username/password page to the login method.

How can I do this without getting this error?

Thanks ERic

解决方案

If you consider it to be safe, here's how to specifically exempt a normal view from CSRF checking.

However, I'm assuming you're talking about the contrib.auth views, then you may have to write your own custom version and apply the @csrf_exempt decorator instead of the one that enforces it (ie, copy, paste, change decorator on the method - it's not as painful as it sounds).

Absolutely worst-case, sledgehammer-to-crack-nut solution: force-disable CSRF altogether, for all views, even django.contrib.* ones that try to enforce CSRF. Upside is you don't have to hack/fork contrib modules; downside is - well - no CSRF...

这篇关于Django：CSRF验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！