我是新来的许多作品在这里(Django的/阿贾克斯等),因此,虽然我理解高层CSFR的画面,我没有在细节上完全处理。
我需要一个请求转换能放入由于被传递的数据量较大。高的水平,我在做一个AJAX POST API调用来通过HTTPS一个Django应用程序。该调用是从页面被所在的同一个域。
不过,我不断收到一个CSRF的cookie没有设置的错误。
我使用的Django 1.4
让过去CSRF保护,我已经包括在X-CSFRToken如标题中提到的其他职位这里包含了{{csrf_token}}在发布的数据标签。不过,它看起来像犯规该标签被替换令牌。的X CSFRToken值被发送为NULL的请求。不知道为什么它没有被置1。
我在IM pression,我不需要用ensure_csrf_cookie()在页面视图,因为我得到这个职位在ajaxSetup前的饼干,但我想这一点。
想法,我做错了吗?
相关code:
SITEURL =https://开头本地主机:8443 /
$ .ajaxSetup({
beforeSend:功能(XHR,设置){
函数的getCookie(名字){
VAR cookieValue = NULL;
如果(document.cookie中和放大器;&安培;!的document.cookie =''){
VAR饼干= document.cookie.split(';');
对于(VAR I = 0; I< cookies.length;我++){
VAR饼干= jQuery.trim(饼干[I]);
如果(cookie.substring(0,name.length + 1)==(名称+'=')){
cookieValue =去codeURIComponent(cookie.substring(name.length + 1));
打破;
}
}
}
返回cookieValue;
}
如果(新正则表达式(^+ siteUrl.replace(\\,\\\\)+。*)。试验(settings.url)){
//只有从我们的网站令牌发送到URL。
xhr.setRequestHeader(X-CSRFToken,的getCookie('csrftoken'));
}
}
});
$阿贾克斯({
网址:submitUrl,
数据:{network_ids:JSON.stringify(network_ids)
csrfmiddlewaretoken:{{csrf_token}}},
键入:POST,
跨域:真正的,
数据类型:JSON,
cotentType:应用/ JSON的,
成功:函数(MYDATA){
执行console.log(MYDATA);
},
错误:函数(jqXHR,textStatus,errorThrown){警报(textStatus);警报(errorThrown)}
})
解决方案
您有几种选择: 这code清单显示过得好从一个cookie的CSRF令牌: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
函数的getCookie(名字){
VAR cookieValue = NULL;
如果(document.cookie中和放大器;&安培;!的document.cookie =''){
VAR饼干= document.cookie.split(';');
对于(VAR I = 0; I< cookies.length;我++){
VAR饼干= jQuery.trim(饼干[I]);
//这是否cookie字符串与我们想要的名字么?
如果(cookie.substring(0,name.length + 1)==(名称+'=')){
cookieValue =去codeURIComponent(cookie.substring(name.length + 1));
打破;
}
}
}
返回cookieValue;
}
的getCookie('csrftoken');
和假设的JavaScript函数就是提交给Django视图,你可以告诉大家,观点忽略CSRF保护。 https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt
从django.views.decorators.csrf进口csrf_exempt
@csrf_exempt
高清my_view(要求):
返回的Htt presponse(世界,你好)
I'm new to many pieces here (Django/Ajax etc), so while I understand the high-level CSFR picture, I dont have a complete handle on the details.
I needed to convert a request from GET to PUT due to the larger amount of data being passed. High level, I'm making an AJAX POST API call to a django app over HTTPS. The call is made to the same domain from where the page is served.
However, I keep getting a 'CSRF cookie not set' error.
I'm using Django 1.4
To get past CSRF protection, I have included the X-CSFRToken as mentioned in other posts here in the header and included the {{ csrf_token }} tag in the data posted. However, it doesnt look like that tag gets replaced with the token. X-CSFRToken value gets sent as NULL on the request. Not sure why it doesnt get set.
I'm under the impression that I dont need to use ensure_csrf_cookie() in the page view as I get the cookie before the POST in ajaxSetup, but I tried that as well.
Ideas what I'm doing wrong?
Relevant code:
siteUrl = "https://localhost:8443/"
$.ajaxSetup({
beforeSend: function(xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
if (new RegExp("^"+siteUrl.replace("\\","\\\\")+".*").test(settings.url)) {
// Only send the token to URLs from our site.
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
}
});
$.ajax({
url: submitUrl,
data: {'network_ids': JSON.stringify(network_ids),
'csrfmiddlewaretoken': '{{ csrf_token }}'},
type: 'POST',
crossDomain: true,
dataType: 'json',
cotentType: 'application/json',
success: function(mydata) {
console.log(mydata);
},
error: function(jqXHR, textStatus, errorThrown) {alert(textStatus); alert(errorThrown)}
})
解决方案
You have several choices: This code listing shows you getting the CSRF token from a cookie: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
getCookie('csrftoken');
and assuming that the javascript function is submitting to a django view, you can tell that view to ignore csrf protection. https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def my_view(request):
return HttpResponse('Hello world')