Javascript 如何使用XMLHTTPRequest处理CSRF令牌?
我使用的API受CSRF保护。所以我需要做一个get调用来获取CSRF令牌,然后将相同的令牌传递给do POST调用Javascript 如何使用XMLHTTPRequest处理CSRF令牌?,javascript,xmlhttprequest,csrf,Javascript,Xmlhttprequest,Csrf,我使用的API受CSRF保护。所以我需要做一个get调用来获取CSRF令牌,然后将相同的令牌传递给do POST调用 var tryout = new XMLHttpRequest(); tryout.open("GET", "/api/1.0/csrf"); tryout.withCredentials = true; tryout.setRequestHeader("x-csrf-token", "fetch"); tryout.setRequestHeader("Accept",
var tryout = new XMLHttpRequest();
tryout.open("GET", "/api/1.0/csrf");
tryout.withCredentials = true;
tryout.setRequestHeader("x-csrf-token", "fetch");
tryout.setRequestHeader("Accept", "application/json");
tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
tryout.onreadystatechange = function () {
console.log(this);
var csrfToken = this.getResponseHeader('x-csrf-token');
if(tryout.readyState == 4){
console.log(csrfToken);
tryout.open('POST', '/api/1.0/create');
tryout.setRequestHeader('x-csrf-token', this.getResponseHeader('x-csrf-token'));
tryout.onreadystatechange = function () {
console.log("call 2");
console.log(this.responseText);
};
tryout.send();
}
};
tryout.send();
下面是我尝试的方式,但我总是得到CSRF令牌验证失败作为POST调用的响应
var tryout = new XMLHttpRequest();
tryout.open("GET", "/api/1.0/csrf");
tryout.withCredentials = true;
tryout.setRequestHeader("x-csrf-token", "fetch");
tryout.setRequestHeader("Accept", "application/json");
tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
tryout.onreadystatechange = function () {
console.log(this);
var csrfToken = this.getResponseHeader('x-csrf-token');
if(tryout.readyState == 4){
console.log(csrfToken);
tryout.open('POST', '/api/1.0/create');
tryout.setRequestHeader('x-csrf-token', this.getResponseHeader('x-csrf-token'));
tryout.onreadystatechange = function () {
console.log("call 2");
console.log(this.responseText);
};
tryout.send();
}
};
tryout.send();
我怀疑可能是POST call正在启动新会话,因此CSRF对该会话无效
请指导我如何在同一会话中执行两个xhr调用?“x-csrf-token”,“fetch”用于GET方法获取数据。然后您将获得csrf令牌值。只需复制它并将其添加到代码中,它可能会起作用。我尝试使用XMLHTTPRequest对两个调用使用相同的xhr对象进行同步调用(获取csrf令牌和下一个http post调用并在标头中传递csrf令牌),它起作用了。下面是示例代码
var res = null;
var tryout = new XMLHttpRequest();
tryout.open("GET", "/odata/1.0/service.svc", false);
tryout.withCredentials = true;
tryout.setRequestHeader("x-csrf-token", "fetch");
tryout.setRequestHeader("Accept", "application/json");
tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
tryout.send(null);
if(tryout.readyState === 4){
var csrfToken = tryout.getResponseHeader('x-csrf-token');
tryout.open('POST', '/odata/1.0/service.svc/Clients', false);
tryout.setRequestHeader('x-csrf-token', csrfToken);
tryout.setRequestHeader("Content-Type", "application/json; charset=utf-8");
tryout.setRequestHeader("Accept", "application/json");
tryout.send(JSON.stringify(obj));
if(tryout.readyState === 4){
res = JSON.parse(this.responseText);
}
}
什么是obj?它是在任何地方定义的吗?是的,McJohnson,obj被定义了,它的请求体。不知何故,我错过了在这里复制代码片段的那个部分。