那些遇到过的问题

Rails通过Javascript保护免遭伪造

Chr*_*itt 13 javascript ruby-on-rails csrf ruby-on-rails-4

我遇到了一个奇怪的CSRF,我试图访问我的rails服务器上传的javascript文件.我有一个控制器,如:

class SomeController < ApplicationController
  def show
    some_path = "/some/js/file/on/disk.js"
    send_file(some_path, type: "text/javascript", disposition: :inline)
  end
end
Run Code Online (Sandbox Code Playgroud)

但是当导航到http://localhost:3000/somes/1我时收到错误消息:

安全警告:另一个站点上的嵌入式标记请求受保护的JavaScript.如果您知道自己在做什么,请继续并禁用此操作的伪造保护,以允许跨源JavaScript嵌入.

提取的来源(第225行):

    if marked_for_same_origin_verification? && non_xhr_javascript_response?
      logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
      raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
    end
  end
Run Code Online (Sandbox Code Playgroud)

请注意,我直接访问此页面,这意味着没有布局,所以我不能在我的布局中包含CSRF令牌.

是否需要采取不同的方式才能正确访问此资源?

编辑:根据评论请求,我在下面添加了完整跟踪.

actionpack(4.2.6)lib/action_controller/metal/request_forgery_protection.rb:225:在verify_same_origin_request' activesupport (4.2.6) lib/active_support/callbacks.rb:432:inmake_lambda 中的 块'activesupport(4.2.6)lib/active_support/callbacks.rb:239:block in halting' activesupport (4.2.6) lib/active_support/callbacks.rb:506:in 在调用块'activesupport(4.2.6)中lib/active_support/callbacks.rb:506:在each' activesupport (4.2.6) lib/active_support/callbacks.rb:506:in调用'activesupport(4.2.6)lib/active_support/callbacks.rb:92:in __run_callbacks__' activesupport (4.2.6) lib/active_support/callbacks.rb:778:in _run_process_action_callbacks'activesupport(4.2.6)lib/active_support/callbacks.rb:81:in run_callbacks' actionpack (4.2.6) lib/abstract_controller/callbacks.rb:19:inprocess_action 'actionpack(4.2.6)lib/action_controller/metal/rescue.rb:29:在process_action' actionpack (4.2.6) lib/action_controller/metal/instrumentation.rb:32:inprocess_action 中的 块'activesupport(4.2.6)lib/active_support/notifications.rb:164:在block in instrument' activesupport (4.2.6) lib/active_support/notifications/instrumenter.rb:20:in仪器'activesupport(4.2.6)lib中/active_support/notifications.rb:164:in instrument' actionpack (4.2.6) lib/action_controller/metal/instrumentation.rb:30:inprocess_action'actionpack(4.2.6)lib/action_controller/metal/params_wrapper.rb:250:in process_action' activerecord (4.2.6) lib/active_record/railties/controller_runtime.rb:18:in process_action'actionpack(4.2.6)lib/abstract_controller/base.rb:137:in process' actionview (4.2.6) lib/action_view/rendering.rb:30:inprocess'actionpack(4.2.6)lib/action_controller/metal.rb:196:in dispatch' actionpack (4.2.6) lib/action_controller/metal/rack_delegation.rb:13:indispatch'actionpack(4.2.6)lib/action_controller/metal.rb:237:in block in action' actionpack (4.2.6) lib/action_dispatch/routing/route_set.rb:74:indispatch'actionpack(4.2.6)lib/action_dispatch /路由/ RO ute_set.rb:43:在serve' actionpack (4.2.6) lib/action_dispatch/journey/router.rb:43:in服务'actionpack(4.2.6)中的块中lib/action_dispatch/journey/router.rb:30:在each' actionpack (4.2.6) lib/action_dispatch/journey/router.rb:30:in服务'actionpack(4.2.6)lib/action_dispatch/routing/route_set.rb:817:在call' bullet (5.1.1) lib/bullet/rack.rb:12:in调用'warden(1.2.6)lib/warden/manager.rb:35:in block in call' warden (1.2.6) lib/warden/manager.rb:34:incatch'warden(1.2.6)lib/warden/manager.rb:34:in call' rack (1.6.4) lib/rack/etag.rb:24:in call' rack(1.6.4)lib/rack /conditionalget.rb:25:in call' rack (1.6.4) lib/rack/head.rb:13:in调用'actionpack(4.2.6)lib/action_dispatch/middleware/params_parser.rb:27:in call' actionpack (4.2.6) lib/action_dispatch/middleware/flash.rb:260:in call' rack(1.6.4)lib/rack/session/abstract/id.rb:225 :在context' rack (1.6.4) lib/rack/session/abstract/id.rb:220:in调用'actionpack(4.2.6)lib/action_dispatch/middleware/cookies.rb:560:在call' activerecord (4.2.6) lib/active_record/query_cache.rb:36:in调用'activerecord(4.2.6)lib/active_record/connection_adapters/abstract/connection_pool.rb:653:在 call' activerecord (4.2.6) lib/active_record/migration.rb:377:in 调用'actionpack( 4.2.6)lib/action_dispatch/middleware/callbacks.rb:29:在block in call' activesupport (4.2.6) lib/active_support/callbacks.rb:88:in run_callbacks'activesupport(4.2.6)lib/active_support/callbacks.rb:778:在_run_call_callbacks' activesupport (4.2.6) lib/active_support/callbacks.rb:81:in run_callbacks'actionpack(4.2.6)lib/action_dispatch/middleware/callbacks.rb:27:在call' actionpack (4.2.6) lib/action_dispatch/middleware/reloader.rb:73:in调用'actionpack(4.2.6)lib/action_dispatch/middleware/remote_ip.rb:78:在 call' actionpack (4.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:17:in调用'web-console(2.3.0)lib/web_console/middleware.rb:2 8:在block in call' web-console (2.3.0) lib/web_console/middleware.rb:18:incatch'web-console(2.3.0)lib/web_console/middleware.rb:18:in call' actionpack (4.2.6) lib/action_dispatch/middleware/show_exceptions.rb:30:incall'ravties(4.2.6)lib/rails/rack/logger.rb:38:in call_app' railties (4.2.6) lib/rails/rack/logger.rb:20:inblock in call'activesupport (4.2.6)lib/active_support/tagged_logging.rb:68:在block in tagged' activesupport (4.2.6) lib/active_support/tagged_logging.rb:26:in 标记的'activesupport(4.2.6)lib/active_support/tagged_logging.rb中:68:在tagged' railties (4.2.6) lib/rails/rack/logger.rb:20:in调用'quiet_assets(1.1.0)lib/quiet_assets.rb:27 :在call_with_quiet_assets' request_store (1.3.1) lib/request_store/middleware.rb:9:in调用'actionpack(4.2.6)lib/action_dispatch/middleware/request_id.rb:21:在call' rack (1.6.4) lib/rack/methodoverride.rb:22:in调用'rack(1.6.4)lib/rack/runtime.rb:18:在call'rack call' activesupport (4.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in (1.6.4) lib/rack/lock.rb:17:在call' actionpack (4.2.6) lib/action_dispatch/middleware/static.rb:120:in调用'rack(1.6.4)lib/rack/sendfile.rb:113:在call' railties (4.2.6) lib/rails/engine.rb:518:in调用'railties(4.2.6)lib/rails/application.rb:165:in call' rack (1.6.4) lib/rack/content_length.rb:15:incall 'puma(3.5.0)lib/puma/configuration.rb:225:in call' puma (3.5.0) lib/puma/server.rb:569:inhandle_request'puma(3.5.0)lib/puma/server.rb:406:in process_client' puma (3.5.0) lib/puma/server.rb:271:inblock in run'puma (3.5.0)lib/puma /thread_pool.rb:116:在spawn_thread中的`block'

小智 1

一些建议:

1)确保添加<%= csrf_meta_tag %>到您的布局中

2) 确保包含 csrf-token 隐藏字段。例如,如果您在显示视图中使用表单。通常,表单构建器会自动完成此操作。

3)application/javascript"在send_file中设置

if request.format.js?
   send_file(assetfilename, type: 'application/javascript')
else
   send_file(assetfilename)
end
Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

817 次

最近记录:

9 年,3 月 前
在提供JavaScript文件时,使用application/javascript或application/x-javascript是否更好 93
更多相关链接
相关归档
如何在Node.js的console.log()中获取完整对象,而不是'[Object]'? 790
用于检查对象属性的Javascript"not in"运算符 156
javascript中的getMonth上个月给出了 116
用Sinon.js拼写一个类方法 88
Rails中适当的SCSS资产结构 82
Rails 3:如何创建新的嵌套资源? 65
如何使用simple_form创建分组选择框? 19
一对一:未定义的方法构建 15
Carrierwave宝石.如何在重新创建后重命名上传的图像版本? 12
simple_form仅允许在文件存在时上载 0
难疑归档
如何检查jQuery中是否隐藏了一个元素? 7481
你如何设置,清除和切换一个位? 2454
在HTML5 localStorage中存储对象 2386
打印Java数组最简单的方法是什么? 1852
在JavaScript中将字符串转换为整数? 1603
显示屏上的转换:属性 1322
处理"java.lang.OutOfMemoryError:PermGen space"错误 1215
URL.Combine的URL? 1186
获取对象类型的名称 1159
在JavaScript中将Unix时间戳转换为时间 1054