Javascript Csrf验证失败-Django Rest和Backbone.js
我已经开始学习“轻量级Django”,以进一步了解Django和客户端JavaScript。在测试使用Javascript Csrf验证失败-Django Rest和Backbone.js,javascript,python,django,backbone.js,Javascript,Python,Django,Backbone.js,我已经开始学习“轻量级Django”,以进一步了解Django和客户端JavaScript。在测试使用Backbone.js创建的LoginView期间,我得到了禁止(403)CSRF验证失败。请求中止。消息,如本文所述:。 首先,我想在表单中插入{%csrf\u token%}模板标记,但当我这样做时,服务器会给我一条POST/HTTP/1.1“405 0-不允许使用方法(POST):/消息 由于AJAXX-CSRFToken请求头是使用$.ajaxPrefilter()设置的,因此我无法找出
Backbone.js创建的LoginView
期间,我得到了禁止(403)CSRF验证失败。请求中止。
消息,如本文所述:。
首先,我想在表单中插入{%csrf\u token%}
模板标记,但当我这样做时,服务器会给我一条POST/HTTP/1.1“405 0-不允许使用方法(POST):/
消息
由于AJAXX-CSRFToken
请求头是使用$.ajaxPrefilter()
设置的,因此我无法找出问题所在
当我使用httpie使用超级用户详细信息执行POST请求时,一切正常,如下例所示:
HTTP/1.0 200 OK
Allow: POST, OPTIONS
Content-Type: application/json
Date: Mon, 11 Sep 2017 13:49:49 GMT
Server: WSGIServer/0.2 CPython/3.6.2
Vary: Cookie
X-Frame-Options: SAMEORIGIN
{
"token" : some_value
}
利用控制台的“Inspect Element”功能,我得到以下消息:
Response headers:
Allow: GET, HEAD, OPTIONS
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Mon, 11 Sep 2017 14:03:06 GMT
Server: WSGIServer/0.2 CPython/3.6.2
X-Frame-Options: SAMEORIGIN
Request headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Content-Length: 116
Content-Type: application/x-www-form-urlencoded
Cookie: csrftoken=some_value
Host: 127.0.0.1:8000
Referer: http://127.0.0.1:8000/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
我不知道是因为模板视图
还是我遗漏了什么:
urls.py:
from django.conf.urls import url,include
from django.views.generic import TemplateView
#from django.views.decorators.csrf import ensure_csrf_cookie
from rest_framework.authtoken.views import obtain_auth_token
from board.urls import router
urlpatterns = [
url(r'^api-auth/', obtain_auth_token, name='api-login'),
url(r'^api-root/', include(router.urls)),
url(r'^$', TemplateView.as_view(template_name='board/index.html')),
]
有人能解释一下到底发生了什么吗?
谢谢!在每个POST请求之前,您需要将CSRF令牌发送到django weebasite中的django后端,您可以为您的前端(backbone.js)创建一个ajaxSetup。只需创建新文件ajaxSetup.js并通过此代码即可
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
function sameOrigin(url) {
// test that a given url is a same-origin URL
// url could be relative or scheme relative or absolute
var host = document.location.host; // host + port
var protocol = document.location.protocol;
var sr_origin = '//' + host;
var origin = protocol + sr_origin;
// Allow absolute or scheme relative URLs to same origin
return (url == origin || url.slice(0, origin.length + 1) == origin +
'/') ||
(url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin +
'/') ||
// or any other URL that isn't scheme relative or absolute i.e relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && sameOrigin(settings.url)) {
// Send the token to same-origin, relative URLs only.
// Send the token only if the method warrants CSRF protection
// Using the CSRFToken value acquired earlier
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
您可以在django官方网站上了解这一点在您需要向django weebasite中的django后端发送CSRF令牌之前,您可以为您的前端(backbone.js)创建一个新文件ajaxSetup.js并通过此代码
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
function sameOrigin(url) {
// test that a given url is a same-origin URL
// url could be relative or scheme relative or absolute
var host = document.location.host; // host + port
var protocol = document.location.protocol;
var sr_origin = '//' + host;
var origin = protocol + sr_origin;
// Allow absolute or scheme relative URLs to same origin
return (url == origin || url.slice(0, origin.length + 1) == origin +
'/') ||
(url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin +
'/') ||
// or any other URL that isn't scheme relative or absolute i.e relative.
!(/^(\/\/|http:|https:).*/.test(url));
}
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && sameOrigin(settings.url)) {
// Send the token to same-origin, relative URLs only.
// Send the token only if the method warrants CSRF protection
// Using the CSRFToken value acquired earlier
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
你可以在django官方网站上看到这一点