Rails使用Javascript防止伪造_Javascript_Ruby On Rails_Ruby On Rails 4_Csrf

Rails使用Javascript防止伪造

javascript ruby-on-rails ruby-on-rails-4

Rails使用Javascript防止伪造,javascript,ruby-on-rails,ruby-on-rails-4,csrf,Javascript,Ruby On Rails,Ruby On Rails 4,Csrf,我遇到了一个奇怪的CSRF，我试图访问一个上传到rails服务器上的javascript文件。我有一个控制器，例如： class SomeController < ApplicationController def show some_path = "/some/js/file/on/disk.js" send_file(some_path, type: "text/javascript", disposition: :inline) end end 请注意，我直

我遇到了一个奇怪的CSRF，我试图访问一个上传到rails服务器上的javascript文件。我有一个控制器，例如：

class SomeController < ApplicationController
  def show
    some_path = "/some/js/file/on/disk.js"
    send_file(some_path, type: "text/javascript", disposition: :inline)
  end
end

请注意，我直接访问此页面，这意味着没有布局，因此我不能在布局中包含CSRF令牌

为了正确访问此资源，是否需要采取不同的措施

编辑：根据评论请求，我在下面添加了完整的跟踪

actionpack（4.2.6） lib/action\u controller/metal/request\u forgery\u protection.rb:225:in

验证相同来源请求的activesupport（4.2.6）
lib/active\u support/callbacks.rb:432:in

在make\u lambda' activesupport（4.2.6）lib/active_support/callbacks.rb:239:in

block in
停止'activesupport（4.2.6）lib/active_support/callbacks.rb:506:in

阻止调用“activesupport”（4.2.6） lib/active_support/callbacks.rb:506:in

each'activesupport（4.2.6）
lib/active_support/callbacks.rb:506:in

call'activesupport（4.2.6） lib/active\u support/callbacks.rb:92:in

\u运行\u callbacks\u
activesupport（4.2.6）lib/active_support/callbacks.rb:778:in

\u运行\u流程\u操作\u回调的活动支持（4.2.6） lib/active\u support/callbacks.rb:81:in

run\u callbacks'actionpack
（4.2.6）lib/abstract\u controller/callbacks.rb:19:in

process\u action' actionpack（4.2.6）lib/action_controller/metal/rescue.rb:29:in

process_action'actionpack（4.2.6）
lib/action\u controller/metal/instrumentation.rb:32:in

block in 过程行动的主动支持（4.2.6） lib/active_support/notifications.rb:164:in

block in instrument'
activesupport（4.2.6）
lib/active_support/notifications/instrumenter.rb:20:in

instrument' activesupport（4.2.6）lib/active_support/notifications.rb:164:in

仪器的actionpack（4.2.6）
lib/action\u controller/metal/instrumentation.rb:30:in

process\u action' actionpack（4.2.6） lib/action\u controller/metal/params\u wrapper.rb:250:in

process\u action'
activerecord（4.2.6）
lib/active\u record/railties/controller\u runtime.rb:18:in

process\u action'actionpack（4.2.6） lib/abstract\u controller/base.rb:137:in

process'actionview（4.2.6）
lib/action_view/rendering.rb:30:in

process'actionpack（4.2.6） lib/action\u controller/metal.rb:196:in

dispatch'actionpack（4.2.6）
lib/action\u controller/metal/rack\u delegation.rb:13:in

dispatch' actionpack（4.2.6）lib/action_controller/metal.rb:237:in

block in
“行动”行动包（4.2.6）
lib/action\u dispatch/routing/route\u set.rb:74:in

dispatch'actionpack （4.2.6）lib/action\u dispatch/routing/route\u set.rb:43:in

service'
actionpack（4.2.6）lib/action_dispatch/journe/router.rb:43:in

块服务中的行动包（4.2.6） lib/action\u dispatch/journe/router.rb:30:in

each'actionpack（4.2.6）
lib/action\u dispatch/journe/router.rb:30:in

service'actionpack（4.2.6） lib/action\u dispatch/routing/route\u set.rb:817:in

call'项目符号（5.1.1）
lib/bullet/rack.rb:12:in

call'warden（1.2.6） lib/warden/manager.rb:35:in

block in call'warden（1.2.6）
lib/warden/manager.rb:34:in

catch'warden（1.2.6） lib/warden/manager.rb:34:in

call'rack（1.6.4）lib/rack/etag.rb:24:in

call'rack（1.6.4）lib/rack/conditionalget.rb:25:in

call'rack
（1.6.4）lib/rack/head.rb:13:in

call'actionpack（4.2.6） lib/action\u dispatch/middleware/params\u parser.rb:27:in

call'
actionpack（4.2.6）lib/action\u dispatch/middleware/flash.rb:260:in

调用'rack（1.6.4）lib/rack/session/abstract/id.rb:225:in

上下文'
机架（1.6.4）lib/rack/session/abstract/id.rb:220:in

调用“actionpack” （4.2.6）lib/action\u dispatch/middleware/cookies.rb:560:in

call'
activerecord（4.2.6）lib/active\u record/query\u cache.rb:36:in

call' activerecord（4.2.6） lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in

call'activerecord（4.2.6）lib/active\u record/migration.rb:377:in

调用“actionpack”（4.2.6） lib/action\u dispatch/middleware/callbacks.rb:29:in

block in call'
activesupport（4.2.6）lib/active_support/callbacks.rb:88:in

运行回调'activesupport（4.2.6） lib/active\u support/callbacks.rb:778:in

\u run\u callbacks'
activesupport（4.2.6）lib/active_support/callbacks.rb:81:in

run_callbacks'actionpack（4.2.6） lib/action\u dispatch/middleware/callbacks.rb:27:in

call'actionpack
（4.2.6）lib/action\u dispatch/middleware/reloader.rb:73:in

call' actionpack（4.2.6）lib/action\u dispatch/middleware/remote\u ip.rb:78:in 调用actionpack（4.2.6） lib/action\u dispatch/middleware/debug\u exceptions.rb:17:incall' web控制台（2.3.0）lib/web_控制台/中间件。rb:28:in

block-in
调用“web控制台（2.3.0）lib/web_控制台/中间件。rb:18:in

catch” web控制台（2.3.0）lib/web_控制台/中间件。rb:18:in

call'
actionpack（4.2.6）
lib/action\u dispatch/middleware/show\u exceptions.rb:30:in

call' railties（4.2.6）lib/rails/rack/logger.rb:38:in

call_app'railties
（4.2.6）lib/rails/rack/logger.rb:20:in

block in调用“activesupport” （4.2.6）lib/active_support/taged_logging.rb:68:in

block in taged'
activesupport（4.2.6）lib/active\u support/taged\u logging.rb:26:in

taged'activesupport（4.2.6） lib/active_support/tagged_logging.rb:68:in

tagged'railties（4.2.6）
lib/rails/rack/logger.rb:20:in

call'quiet_资产（1.1.0） lib/quiet\u assets.rb:27:in

call\u with\u quiet\u assets的请求存储
（1.3.1）lib/request\u store/middleware.rb:9:in

call'actionpack（4.2.6） lib/action\u dispatch/middleware/request\u id.rb:21:in

call'机架（1.6.4）
lib/rack/methodoverride.rb:22:in

call'rack（1.6.4） lib/rack/runtime.rb:18:in

call'activesupport（4.2.6）
lib/active\u support/cache/strategy/local\u cache\u middleware.rb:28:in
    if marked_for_same_origin_verification? && non_xhr_javascript_response?
      logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
      raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
    end
  end

if request.format.js?
   send_file(assetfilename, type: 'application/javascript')
else
   send_file(assetfilename)
end

class SomeController < ApplicationController
  skip_before_action :verify_authenticity_token, only: :show

  def show
    some_path = "/some/js/file/on/disk.js"
    send_file(some_path, type: "text/javascript", disposition: :inline)
  end
end

marked_for_same_origin_verification? && non_xhr_javascript_response?

  # GET requests are checked for cross-origin JavaScript after rendering.
  def mark_for_same_origin_verification!
    @marked_for_same_origin_verification = request.get?
  end

  # If the `verify_authenticity_token` before_action ran, verify that
  # JavaScript responses are only served to same-origin GET requests.
  def marked_for_same_origin_verification?
    @marked_for_same_origin_verification ||= false
  end

  def non_xhr_javascript_response?
    content_type =~ %r(\Atext/javascript) && !request.xhr?
  end

class SomeController < ApplicationController
  def show
    some_path = "/some/js/file/on/disk.js"

    respond_to do |format|
      format.js {
        send_file(some_path, type: "text/javascript", disposition: :inline) 
      }
      format.html {
        "Html request from browser. Try sending a js request to get <Javascript>"
      }
    end
  end
end

    class SomeController < ApplicationController
        protect_from_forgery except: :show 
        ...
    end