gre*_*ans 5 ruby ruby-on-rails csrf csrf-token
该protect_from_forgery方法未包含在默认Rails 6应用程序的应用程序控制器中,但是<%= csrf_meta_tags %>主应用程序布局中有嵌入式的ruby 。这是否意味着该protect_from_forgery方法已被抽象,并且在应用程序控制器中不再明确需要?
我已经买了《实用程序员的Rails 6》一书,而我唯一能找到的就是“ csrf_meta_tags()方法设置了防止跨站点请求伪造攻击所需的所有幕后数据”。
nua*_*aky 11
对于Rails 5.2和更高版本,默认情况下在ActionController :: Base上启用。查看此提交:https : //github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55
* Protect from forgery by default
Rather than protecting from forgery in the generated ApplicationController,
add it to ActionController::Base depending on
`config.action_controller.default_protect_from_forgery`. This configuration
defaults to false to support older versions which have removed it from their
ApplicationController, but is set to true for Rails 5.2.
在官方文档中:https : //edgeguides.rubyonrails.org/configuring.html
config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.