iframe导致无法验证CSRF令牌真实性n Rails [英] Iframe causes Can't Verify CSRF Token Authenticity n Rails
问题描述
我有一个使用phonegap 2.3.0 for Windows Phone 8 SDK通过iframe加载的webapp。通过iframe加载它的问题是,当我发送 $。post时,它导致 request。在Rails端无法验证CSRF令牌验证( )
I have a webapp that is loaded through an iframe using phonegap 2.3.0 for Windows Phone 8 SDK. The problem with loading it through the iframe is that it causes Can't verify CSRF token authencity on the Rails side when I send a $.post() request.
我尝试了几种方法,例如覆盖 $。post()使用 $。ajax()使用令牌 setHeaderRequest 以及 $ .ajaxSetup()
I tried a couple of approaches such as overwrite the $.post() to use $.ajax() to setHeaderRequest with the token, and also $.ajaxSetup()
当我禁用 protect_from_forgery 或
When I disable protect_from_forgery or verify_authenticity_token, the app loads correctly.
我认为问题的原因是因为webapp位于另一个域(跨域问题),而csrf只是试图阻止点击劫持。有办法绕过这个问题吗?
I believe the problem is caused because the webapp is located in another domain (cross domain issues) and csrf is simply trying to prevent clickjacking. Is there are way to bypass this problem?
以下是我如何发布的示例:
Here is an example of how I am posting:
$.post(url, {app: {played: tiles}, no: no}, function (response) {
linkTo('#app_button', response['next']);
});
示例:
$.ajaxSetup({
beforeSend: function(xhr) {
xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').prop('content'));
}
});
编辑:
我已经能够将真实性令牌作为参数传递到我的帖子请求中有同样的错误。我开始相信错误不是由令牌引起的。发生错误的其他原因是什么?
I have been able to pass authenticity token as a parameter into my post request with the same error. I am starting to beleive the error is not cause by the token. What are other reasons why the error occurs?
日志:
[2539 - 2013/03/06 15:37:42] (INFO) Parameters: {"app"=>{"played"=>"tiles"}, "no"=>"no", "authenticity_token"=>"yBpUImzjtKGIejh/WCekv/GCi1zjPirib22plqfLJ1Y="}
[2539 - 2013/03/06 15:37:42] (WARN) WARNING: Can't verify CSRF token authenticity
[2539 - 2013/03/06 15:37:42] (INFO) User agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
[2539 - 2013/03/06 15:37:42] (DEBUG) User Load (1.8ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2539 - 2013/03/06 15:37:42] (WARN) Lost session [118.143.97.82] (/locations/1/games) - Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
[2539 - 2013/03/06 15:37:42] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
推荐答案
答案是因为没有P3P标题阻止会话存储。您需要添加一个P3P标头来解决此问题。
The answer is because of no P3P header which was blocking session storage. You need to add a P3P header to fix this.
这篇关于iframe导致无法验证CSRF令牌真实性n Rails的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
