Rails的3 AJAX请求的真实性令牌忽略令牌、真实性、Rails、AJAX
导轨似乎忽略的真实性令牌AJAX请求。举例来说,我特意改变了我的AJAX调用同一个无效的令牌测试一下,并要求似乎要经过正常。
该应用程序有默认的配置文件来使用会话cookie存储并在ApplicationController中的protect_from_forgery电话。
任何想法还有什么我可能会错过?
解决方案编辑>>我张贴在博客这个答案也:的http://zadasnotes.blogspot.com/2010/11/rails-3-forgery-csrf-protection-for.html
EDIT 2 >>这是在Rails的3.0.4变更。见跟进张贴在这里:的http://zadasnotes.blogspot.com/2011/02/rails-forgery-csrf-protection-for-ajax.html
一段时间研究后,我决定挖了一点到轨code文档中找到答案。
从这里开始:http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#method-i-form_authenticity_token
protect_from_forgery 将的before_filter 在 verify_authenticity_token 这是如下图所示:
#文件ActionPack的/ lib目录/ action_controller /金属/ request_forgery_protection.rb,行95
95:DEF verify_authenticity_token
96:verified_request? ||提高(ActionController的:: InvalidAuthenticityToken)
97:结束
和在 verified_request 显示在这里:
#文件ActionPack的/ lib目录/ action_controller /金属/ request_forgery_protection.rb,行
104:高清verified_request?
105:protect_against_forgery? || request.forgery_whitelisted? ||
106:form_authenticity_token == PARAMS [request_forgery_protection_token]
107:结束
最后的 request.forgery_whitelisted :
#文件ActionPack的/ lib目录/ action_dispatch / HTTP / request.rb,线126
126:高清forgery_whitelisted?
127:得到什么? || XHR? || content_mime_type.nil? || !content_mime_type.verify_request?
128:结束
注意 XHR?。 xmlHtt prequest被列入白名单,而不是在protect_from_forgery名单上。所以看来这是由设计。
在xmlHtt prequests进一步研究后,它似乎有在跨域运行它们,这使得它不必要的应用上XHR的CSRF检查限制。
Rails seems to be ignoring authenticity tokens for AJAX requests. For instance, I purposely changed my AJAX call to test this with an invalid token and requests seem to go through normally.
The application has the default configuration to use session cookie store and has the protect_from_forgery call in the ApplicationController.
Any ideas what else I could be missing?
解决方案EDIT >> I posted this answer in a blog post as well: http://zadasnotes.blogspot.com/2010/11/rails-3-forgery-csrf-protection-for.html
EDIT 2 >> This was changed in Rails 3.0.4. See follow up post here: http://zadasnotes.blogspot.com/2011/02/rails-forgery-csrf-protection-for-ajax.html
After researching it for a while, I decided to dig a bit into the rails code documentation to find out.
Starting here: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#method-i-form_authenticity_token
protect_from_forgery adds a before_filter on verify_authenticity_token which is shown below:
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 95
95: def verify_authenticity_token
96: verified_request? || raise(ActionController::InvalidAuthenticityToken)
97: end
And the verified_request? is shown here:
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line
104: def verified_request?
105: !protect_against_forgery? || request.forgery_whitelisted? ||
106: form_authenticity_token == params[request_forgery_protection_token]
107: end
Finally request.forgery_whitelisted?:
# File actionpack/lib/action_dispatch/http/request.rb, line 126
126: def forgery_whitelisted?
127: get? || xhr? || content_mime_type.nil? || !content_mime_type.verify_request?
128: end
Notice xhr?. xmlHttpRequest is whitelisted and is not on the protect_from_forgery list. So it appears that this is by design.
After researching further on xmlHttpRequests it appears that there are restrictions on running them across domains, which makes it unnecessary to apply the csrf check on xhr.
