Django CSRF 失败 - 失败的可能原因有哪些?
当CSRF正确实现时,对于普通用户(非黑客)来说,CSRF失败的原因是什么?
我认为原因之一是 cookie 被禁用。 浏览器/计算机设置中是否存在其他可能导致验证失败的原因?
谢谢。
When CSRF is implemented correctly, what are the causes of CSRF failures for normal users (non hackers)?
I think one reason is when cookie is disabled.
Are there other probable reasons in their browser/computer settings that can cause the verification to fail?
Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
禁用 Cookie 将导致 CSRF 失败。唯一的其他潜在问题是 cookie 从发布到提交表单(可能是如果用户加载表单,保持浏览器窗口打开一小时或几天,然后返回并提交表单)就会过期。
CSRF 几乎只适用于用户通过浏览网站自然获得的标准表单。如果未在 POST 数据中传递 CSRF 令牌,或者未将
X-CSRFToken
标头与令牌一起随请求一起发送,则 AJAX 请求可能会失败。如果不是从同一域发送,通过 HTTPS 提交将会失败。Cookies being disabled will cause a CSRF failure. The only other potential issue would be said cookie expiring from the time it was issue to when the form was submitted (potentially if the user loaded the form, kept the browser window open for a hours or days and then returned and submitted the form).
CSRF pretty much just works with a standard form the user got to naturally through navigating the site. AJAX requests can fail if the CSRF token is not passed in the POST data or the
X-CSRFToken
header isn't sent with the token along with the request. And submissions over HTTPS will fail if not sent from the same domain.