如何禁用 jQuery 的 CSRF?
我正在测试一个远程消息服务,并且我“相信”我需要在 jQuery 中禁用 CSRF 才能使我的初始远程测试成功。
我已经在应用程序控制器中禁用了 CSRF。
如果我通过应用程序本身发送 POST,则消息传递有效,并且我会在 Rails 服务器日志中获得以下输出:
于 2011-05-07 10:49:29 -0400 开始对 127.0.0.1 发布“/messages”
由 MessagesController#create as JS 处理
参数:{"utf8"=>"✓", "authenticity_token"=>"xxx", "message"=>{"content"=>"该死的"}, "commit"=>"发送" }
SQL (0.1ms) 选择名称
来自 sqlite_master
WHERE 类型 = 'table' 而不是 name = 'sqlite_sequence'AREL (0.5ms) INSERT INTO "messages" ("content", "created_at", "updated_at") VALUES ('damn', '2011-05-07 14:49:29.887582', '2011-05- 07 14:49:29.887582') 渲染的消息/_message.html.erb(3.6ms) 渲染的消息/create.js.erb(8.2ms) 在 133 毫秒内完成 200 OK(查看次数:17.0 毫秒 | ActiveRecord:0.6 毫秒)
如果我通过 cURL 发送以下 POST 命令,我会得到以下输出:
curl -X POST -d 'message={"content":"lololol", "commit":"Send"}' http://localhost:3000/messages
于 2011-05-07 10:54:15 -0400 开始对 127.0.0.1 发布“/messages”
由 MessagesController#create as
处理 参数:{"消息"=>"{\"内容\":\"lololol\",\"提交\":\"发送\"}"}
AREL(0.3ms)插入“消息”(“内容”,“created_at”,“updated_at”)值(NULL,'2011-05-07 14:54:15.934156','2011-05-07 14:54: 15.934156')
渲染的消息/_message.html.erb(0.5ms)
渲染消息/create.js.erb(4.2ms)
在 309 毫秒内完成 200 OK(查看次数:28.1 毫秒 | ActiveRecord:0.3 毫秒)
我可以在页面上看到一个空白条目,其中包含运行 cURL 命令时的时间戳,并且正在数据库中创建一条记录,其中包含除内容之外的所有内容。
是否可以安全地假设其原因是由于 jQuery 中的 CSRF 不允许发布内容?如果是这样,我该如何禁用它?或者 cURL 发布错误?或者两者的混合?
预先感谢您的帮助。
I am testing a remote messaging service and I "believe" I am in need of disabling CSRF in jQuery for my initial remote test to be successful.
I have disabled CSRF in the Application Controller already.
If I send the POST through the application itself, the messaging works and I get the following output in my rails server log:
Started POST "/messages" for 127.0.0.1 at 2011-05-07 10:49:29 -0400
Processing by MessagesController#create as JS
Parameters: {"utf8"=>"✓", "authenticity_token"=>"xxx", "message"=>{"content"=>"damn"}, "commit"=>"Send"}
SQL (0.1ms) SELECT name
FROM sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence'AREL (0.5ms) INSERT INTO "messages" ("content", "created_at", "updated_at") VALUES ('damn', '2011-05-07 14:49:29.887582', '2011-05-07 14:49:29.887582')
Rendered messages/_message.html.erb (3.6ms)
Rendered messages/create.js.erb (8.2ms)
Completed 200 OK in 133ms (Views: 17.0ms | ActiveRecord: 0.6ms)
If I send the following POST command via cURL, I get this output:
curl -X POST -d 'message={"content":"lololol", "commit":"Send"}' http://localhost:3000/messages
Started POST "/messages" for 127.0.0.1 at 2011-05-07 10:54:15 -0400
Processing by MessagesController#create as
Parameters: {"message"=>"{\"content\":\"lololol\", \"commit\":\"Send\"}"}
AREL (0.3ms) INSERT INTO "messages" ("content", "created_at", "updated_at") VALUES (NULL, '2011-05-07 14:54:15.934156', '2011-05-07 14:54:15.934156')
Rendered messages/_message.html.erb (0.5ms)
Rendered messages/create.js.erb (4.2ms)
Completed 200 OK in 309ms (Views: 28.1ms | ActiveRecord: 0.3ms)
I can see a blank entry on my page with a timestamp of when I run the cURL command and a record is being created in the database with everything but the content.
Is it safe to assume the reason for this is due to the CSRF in jQuery not allowing the content to get published? If so, how do I disable it? Or am POSTing it wrong with cURL? or a mixture of both?
Thank you in advance for any help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你的帖子是错误的。正确的语法是:
CSRF 保护不会更改参数。默认情况下,当 CSRF 验证失败时,Rails 只会重置会话(请参阅 handle_unverified_request)。
Your POST is wrong. The right syntax is:
CSRF protection wouldn't change the params. By default, when CSRF verification fails, Rails only resets the session (see the source of handle_unverified_request).