blocks|key|237969|text|我在以下版本的Rails上也遇到了同样的问题：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|237970|+gem+'rails',+:git+=>+'git://github.com/rails/rails.git',+:branch+=>+'3-2-stable'|code-block|syntax|javascript|237971|我更新到了3.2.2，现在一切都很好。:)|237972|+gem+'rails',+'3.2.2'|237973|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|N|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|O|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|P|8|@]|9|@]|A|$E|F]]|$1|K|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|L|$]]

I had the same issue with the following version of Rails: 
 gem 'rails', :git => 'git://github.com/rails/rails.git', :branch => '3-2-stable'

I updated to 3.2.2 and everything works fine for me now. :) 
 gem 'rails', '3.2.2'

blocks|key|235408|text|编辑|type|unstyled|depth|inlineStyleRanges|offset|length|style|BOLD|entityRanges|data|235409|在Rails+4中，我现在使用@genkilabs在下面的评论中建议的内容：|235410|protect_from_forgery+with:+:null_session,+if:+Proc.new+{+%7Cc%7C+c.request.format+==+'application/json'+}|CODE|235411|它不是完全关闭内置的安全性，而是在没有CSRF令牌的情况下终止服务器上可能存在的任何会话。|235412|235413|skip_before_filter+:verify_authenticity_token,+:if+=>+Proc.new+{+%7Cc%7C+c.request.format+==+'application/json'+}|235414|这将关闭对已正确标记为json+posts/puts的CSRF检查。|235415|例如，在iOS中将以下参数设置为您的参数，其中“NSURLRequest”是您的参数：|235416|235417|[request+setHTTPMethod:@"POST"];

[request+setValue:@"application/json"+
+++++++forHTTPHeaderField:@"content-type"];

[request+setValue:@"application/json"+
+++++++forHTTPHeaderField:@"accept"];

[request+setHTTPBody:[NSData+dataWithBytes:[parameters+UTF8String]+
++++++++++++++++++++++++++++++++++++++++++++length:[parameters+length]]];|code-block|syntax|javascript|235418|entityMap^0|0|2|0|0|0|2T|0|0|0|0|31|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|11|8|@$9|12|A|13|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|14|8|@]|D|@]|E|$]]|$1|H|3|I|5|6|7|15|8|@$9|16|A|17|B|J]]|D|@]|E|$]]|$1|K|3|L|5|6|7|18|8|@]|D|@]|E|$]]|$1|M|3|-4|5|6|7|19|8|@]|D|@]|E|$]]|$1|N|3|O|5|6|7|1A|8|@$9|1B|A|1C|B|J]]|D|@]|E|$]]|$1|P|3|Q|5|6|7|1D|8|@]|D|@]|E|$]]|$1|R|3|S|5|6|7|1E|8|@]|D|@]|E|$]]|$1|T|3|-4|5|6|7|1F|8|@]|D|@]|E|$]]|$1|U|3|V|5|W|7|1G|8|@]|D|@]|E|$X|Y]]|$1|Z|3|-4|5|6|7|1H|8|@]|D|@]|E|$]]]|10|$]]

EDIT:

In Rails 4 I now use what @genkilabs suggests in the comment below:

<code>protect_from_forgery with: :null_session, if: Proc.new { |c| c.request.format == 'application/json' }</code>

Which, instead of completely turning off the built in security, kills off any session that might exist when something hits the server without the CSRF token.

<hr>

<code>skip_before_filter :verify_authenticity_token, :if =&gt; Proc.new { |c| c.request.format == 'application/json' }</code>

This would turn off the CSRF check for json posts/puts that have properly been marked as such. 

For example, in iOS setting the following to your NSURLRequest where "parameters" are your parameters:

<hr>

<pre><code>[request setHTTPMethod:@"POST"];

[request setValue:@"application/json" 
 forHTTPHeaderField:@"content-type"];

[request setValue:@"application/json" 
 forHTTPHeaderField:@"accept"];

[request setHTTPBody:[NSData dataWithBytes:[parameters UTF8String] 
 length:[parameters length]]];
</code></pre>

blocks|key|3119197|text|令人担忧的是，在Rails+3.2.3中，我们现在在production.log中收到CSRF警告，但post没有失败！我希望它失败，因为它能保护我免受攻击。您可以在过滤btw之前使用jquery添加csrf令牌：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3119198|http://jasoncodes.com/posts/rails-csrf-vulnerability|offset|length|3119199|entityMap|0|LINK|mutability|MUTABLE|url^0|0|0|1G|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@$D|O|E|P|1|Q]]|A|$]]|$1|F|3|-4|5|6|7|R|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|C]]]]

What's worrying is that in Rails 3.2.3 we now get the CSRF warning in production.log but the post does not fail! I want it to fail as it protects me from attacks. And you can add the csrf token with jquery before filter btw:

<a href="http://jasoncodes.com/posts/rails-csrf-vulnerability" rel="nofollow">http://jasoncodes.com/posts/rails-csrf-vulnerability</a>

blocks|key|2904859|text|您可以在成功登录后使用自定义标头发送CSRF令牌。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2904860|例如，把这个放到你的sessions#create中：|2904861|response.headers['X-CSRF-Token']+=+form_authenticity_token|code-block|syntax|javascript|2904862|提供CSRF令牌的登录响应标头示例：|2904863|HTTP/1.1+200+OK
Cache-Control:+max-age=0,+private,+must-revalidate
Connection:+Keep-Alive
Content-Length:+35
Content-Type:+application/json;+charset=utf-8
Date:+Mon,+22+Oct+2012+11:39:04+GMT
Etag:+"9d719d3b9aabd413c3603e04e8a3933d"
Server:+WEBrick/1.3.1+(Ruby/1.9.3/2012-10-12)
Set-Cookie:+[cut+for+readability]+
X-Csrf-Token:+PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=
X-Request-Id:+178746992d7aca928c876818fcdd4c96
X-Runtime:+0.169792
X-Ua-Compatible:+IE=Edge|2904864|此令牌在您重新登录或(如果您通过API支持则注销)之前一直有效。您的客户端可以从登录响应标头中提取并存储令牌。然后，每个POST/PUT/DELETE请求都必须用登录时收到的值设置X-CSRF-Token标头。|2904865|使用CSRF令牌的示例帖子标头：|2904866|POST+/api/report+HTTP/1.1
Accept:+application/json
Accept-Encoding:+gzip,+deflate,+compress
Content-Type:+application/json;+charset=utf-8
Cookie:+[cut+for+readability]
Host:+localhost:3000
User-Agent:+HTTPie/0.3.0
X-CSRF-Token:+PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=|2904867|文档：form_authenticity_token|offset|length|2904868|entityMap|0|LINK|mutability|MUTABLE|url|http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#method-i-form_authenticity_token^0|0|0|0|0|0|0|0|0|3|N|0|0^^$0|@$1|2|3|4|5|6|7|14|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|15|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|16|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|17|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|18|8|@]|9|@]|A|$G|H]]|$1|M|3|N|5|6|7|19|8|@]|9|@]|A|$]]|$1|O|3|P|5|6|7|1A|8|@]|9|@]|A|$]]|$1|Q|3|R|5|F|7|1B|8|@]|9|@]|A|$G|H]]|$1|S|3|T|5|6|7|1C|8|@]|9|@$U|1D|V|1E|1|1F]]|A|$]]|$1|W|3|-4|5|6|7|1G|8|@]|9|@]|A|$]]]|X|$Y|$5|Z|10|11|A|$12|13]]]]

You can send the CSRF token, after a successful log-in, using a custom header. 

E.g, put this in your sessions#create :

<pre><code>response.headers['X-CSRF-Token'] = form_authenticity_token
</code></pre>

Sample log-in response header providing the CSRF token:

<pre><code>HTTP/1.1 200 OK
Cache-Control: max-age=0, private, must-revalidate
Connection: Keep-Alive
Content-Length: 35
Content-Type: application/json; charset=utf-8
Date: Mon, 22 Oct 2012 11:39:04 GMT
Etag: "9d719d3b9aabd413c3603e04e8a3933d"
Server: WEBrick/1.3.1 (Ruby/1.9.3/2012-10-12)
Set-Cookie: [cut for readability] 
X-Csrf-Token: PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=
X-Request-Id: 178746992d7aca928c876818fcdd4c96
X-Runtime: 0.169792
X-Ua-Compatible: IE=Edge
</code></pre>

This Token is valid until you log-in again or (log-out if you support this through your API).
Your client can extract and store the token from the log-in response headers. Then, each POST/PUT/DELETE request must set the X-CSRF-Token header with the value received at the log-in time.

Sample POST headers with the CSRF token:

<pre><code>POST /api/report HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate, compress
Content-Type: application/json; charset=utf-8
Cookie: [cut for readability]
Host: localhost:3000
User-Agent: HTTPie/0.3.0
X-CSRF-Token: PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=
</code></pre>

Documentation: <a href="http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#method-i-form_authenticity_token">form_authenticity_token</a>

blocks|key|2904948|text|确实是最简单的方法。不要费心更改标题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2904949|确保您拥有：|2904950|<%25=+csrf_meta_tag+%25>|code-block|syntax|javascript|2904951|在你的layouts/application.html.erb中|offset|length|style|CODE|2904952|只需像这样做一个隐藏的输入字段：|2904953|<input+name="authenticity_token"+
+++++++type="hidden"+
+++++++value="<%25=+form_authenticity_token+%25>"/>|2904954|或者如果你想要一篇jquery+ajax文章：|2904955|$.ajax({+++++
++++type:+'POST',
++++url:+"<%25=+someregistration_path+%25>",
++++data:+{+"firstname":+"text_data_1",+"last_name":+"text_data2",+"authenticity_token":+"<%25=+form_authenticity_token+%25>"+},++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++error:+function(+xhr+){+
++++++alert("ERROR+ON+SUBMIT");
++++},
++++success:+function(+data+){+
++++++//data+response+can+contain+what+we+want+here...
++++++console.log("SUCCESS,+data="%2Bdata);
++++}
});|2904956|基本上，当您发布json数据时，只需向post数据添加一个有效的authenticity_token字段，警告就会消失……|2904957|entityMap^0|0|0|0|3|S|0|0|0|0|0|J|4|0^^$0|@$1|2|3|4|5|6|7|10|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|11|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|12|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|13|8|@$K|14|L|15|M|N]]|9|@]|A|$]]|$1|O|3|P|5|6|7|16|8|@]|9|@]|A|$]]|$1|Q|3|R|5|F|7|17|8|@]|9|@]|A|$G|H]]|$1|S|3|T|5|6|7|18|8|@]|9|@]|A|$]]|$1|U|3|V|5|F|7|19|8|@]|9|@]|A|$G|H]]|$1|W|3|X|5|6|7|1A|8|@$K|1B|L|1C|M|N]]|9|@]|A|$]]|$1|Y|3|-4|5|6|7|1D|8|@]|9|@]|A|$]]]|Z|$]]

Indeed simplest way. Don't bother with changing the headers.

Make sure you have:

<pre><code>&lt;%= csrf_meta_tag %&gt;
</code></pre>

in your <code>layouts/application.html.erb</code>

Just do a hidden input field like so:

<pre><code>&lt;input name="authenticity_token" 
 type="hidden" 
 value="&lt;%= form_authenticity_token %&gt;"/&gt;
</code></pre>

Or if you want a jquery ajax post: 

<pre><code>$.ajax({ 
 type: 'POST',
 url: "&lt;%= someregistration_path %&gt;",
 data: { "firstname": "text_data_1", "last_name": "text_data2", "authenticity_token": "&lt;%= form_authenticity_token %&gt;" }, 
 error: function( xhr ){ 
 alert("ERROR ON SUBMIT");
 },
 success: function( data ){ 
 //data response can contain what we want here...
 console.log("SUCCESS, data="+data);
 }
});
</code></pre>

Basically when you post your json data just add a valid authenticity_token field to the <code>post</code> data and the warning should go away...

blocks|key|3119338|text|我今晚也遇到了同样的问题。发生这种情况的原因是因为当您登录时，最后一个csrf-token不再有效。我所做的是:在您的应用程序/views/devise/+$("meta[name=csrf-token]").attr('content',+'<%25=+form_authenticity_token+%25>');+/create.js.rb中创建会话。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|3119339|现在它确实有一个有效的csrf-token+:)，我希望它能有所帮助|3119340|entityMap^0|26|25|0|0^^$0|@$1|2|3|4|5|6|7|J|8|@$9|K|A|L|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|M|8|@]|D|@]|E|$]]|$1|H|3|-4|5|6|7|N|8|@]|D|@]|E|$]]]|I|$]]

I ran into the same issue tonight.
The reason that happens is because when you sign in the last csrf-token is no longer valid.
What I did was:
<code>$("meta[name=csrf-token]").attr('content', '&lt;%= form_authenticity_token %>');</code> in your app/views/devise/sessions/create.js.rb.

Now it does have a valid csrf-token :)
I hope it helps

blocks|key|3119361|text|也适用于开发/测试模式。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3119362|protect_from_forgery+with:+:exception+unless+%25w(development+test).include?+Rails.env|code-block|syntax|javascript|3119363|此警告显示因为您使用的是:null_session，所以在Rails4.1中，如果未指定with:选项，则默认情况下它会工作。|offset|length|style|CODE|3119364|protect_from_forgery|3119365|entityMap^0|0|0|C|D|18|5|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|R|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|S|8|@$I|T|J|U|K|L]|$I|V|J|W|K|L]]|9|@]|A|$]]|$1|M|3|N|5|D|7|X|8|@]|9|@]|A|$E|F]]|$1|O|3|-4|5|6|7|Y|8|@]|9|@]|A|$]]]|P|$]]

Also for development/test mode. 

<pre><code>protect_from_forgery with: :exception unless %w(development test).include? Rails.env
</code></pre>

This warning shows because you are using <code>:null_session</code>, in Rails 4.1 it works by default if no <code>with:</code> options specified.

<pre><code>protect_from_forgery
</code></pre>

blocks|key|2905065|text|我已经使用了下面的方法。使用include？因此，如果内容类型是application/json;charset=utf-8，那么它仍然有效。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2905066|protect_from_forgery+with:+:null_session,+if:+Proc.new+{+%7Cc%7C+c.request.format.include?+'application/json'+}|code-block|syntax|javascript|2905067|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

I have used the below. Using include? so if the content type is application/json;charset=utf-8 then it is still working.

<pre><code>protect_from_forgery with: :null_session, if: Proc.new { |c| c.request.format.include? 'application/json' }
</code></pre>

blocks|key|3119407|text|我以这种方式解决了这个错误：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|3119408|class+ApplicationController+<+ActionController::Base
++protect_from_forgery
++skip_before_action+:verify_authenticity_token,+if:+:json_request?

++protected

++def+json_request?
++++request.format.json?
++end
end|code-block|syntax|javascript|3119409|来源：http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html|offset|length|3119410|entityMap|0|LINK|mutability|MUTABLE|url|http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html^0|0|0|3|29|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|T|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|U|8|@]|9|@$I|V|J|W|1|X]]|A|$]]|$1|K|3|-4|5|6|7|Y|8|@]|9|@]|A|$]]]|L|$M|$5|N|O|P|A|$Q|R]]]]

I resolved that error this way:

<pre><code>class ApplicationController &lt; ActionController::Base
 protect_from_forgery
 skip_before_action :verify_authenticity_token, if: :json_request?

 protected

 def json_request?
 request.format.json?
 end
end
</code></pre>

Source:
<a href="http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html" rel="nofollow noreferrer">http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html</a>

blocks|key|238098|text|This+answer更好。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|238099|您可以在任何XMLHttpRequest发送之前保留CSRF-TOKEN验证，而不需要额外的工作(附加了令牌)。没有JQuery，什么都没有，只有复制/粘贴和刷新。|238100|只需添加此代码即可。|238101|(function()+{
++++var+send+=+XMLHttpRequest.prototype.send,
++++++++token+=+$('meta[name=csrf-token]').attr('content');
++++XMLHttpRequest.prototype.send+=+function(data)+{
++++++++this.setRequestHeader('X-CSRF-Token',+token);
++++++++return+send.apply(this,+arguments);
++++};
}());|code-block|syntax|javascript|238102|entityMap|0|LINK|mutability|MUTABLE|url|https://stackoverflow.com/questions/24196140/adding-x-csrf-token-header-globally-to-all-instances-of-xmlhttprequest^0|0|B|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@]|9|@$A|V|B|W|1|X]]|C|$]]|$1|D|3|E|5|6|7|Y|8|@]|9|@]|C|$]]|$1|F|3|G|5|6|7|Z|8|@]|9|@]|C|$]]|$1|H|3|I|5|J|7|10|8|@]|9|@]|C|$K|L]]|$1|M|3|-4|5|6|7|11|8|@]|9|@]|C|$]]]|N|$O|$5|P|Q|R|C|$S|T]]]]

<a href="https://stackoverflow.com/questions/24196140/adding-x-csrf-token-header-globally-to-all-instances-of-xmlhttprequest">This answer</a> is better. 

You get to keep the CSRF-TOKEN validation with no extra effort (the token is appended) before any XMLHttpRequest send. No JQuery, no nothing just copy/paste and refresh.

Simply add this code.

<pre><code>(function() {
 var send = XMLHttpRequest.prototype.send,
 token = $('meta[name=csrf-token]').attr('content');
 XMLHttpRequest.prototype.send = function(data) {
 this.setRequestHeader('X-CSRF-Token', token);
 return send.apply(this, arguments);
 };
}());
</code></pre>

How can I retrieve the CSRF token to pass with a JSON request?

I know that for security reasons <a href="http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails" rel="noreferrer">Rails is checking the CSRF token</a> on all the request types (including JSON/XML).

I could put in my controller <code>skip_before_filter :verify_authenticity_token</code>, but I would lose the CRSF protection (not advisable :-) ).

This similar (still not accepted) <a href="https://stackoverflow.com/questions/9044141/rails-devise-creating-new-users-via-json-request">answer</a> suggests to

<blockquote>
 Retrieve the token with <code>&lt;%= form_authenticity_token %&gt;</code>
</blockquote>

The question is how? Do I need to do a first call to any of my pages to retrieve the token and then do my real authentication with Devise? Or it is an information one-off that I can get from my server and then use consistently (until I manually change it on the server itself)?

rails - "WARNING: Can't verify CSRF token authenticity" for json devise requests

身份验证

服务器

JSON

如何检索要与JSON请求一起传递的CSRF令牌？我知道出于安全原因，所有请求类型(包括JSON/XML)都使用。我可以放入我的控制器skip_before_filter :verify_authenticity_token，但我会失去CRSF保护(不建议:-)。这个类似的(仍未被接受) 建议使用<%= form_aut...

问rails - json devise请求的“警告:无法验证CSRF令牌的真实性”
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问rails - json devise请求的“警告:无法验证CSRF令牌的真实性”EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问rails - json devise请求的“警告:无法验证CSRF令牌的真实性”
EN