Rails使用Javascript防止伪造
我遇到了一个奇怪的CSRF,我试图访问一个上传到rails服务器上的javascript文件。我有一个控制器,例如:Rails使用Javascript防止伪造,javascript,ruby-on-rails,ruby-on-rails-4,csrf,Javascript,Ruby On Rails,Ruby On Rails 4,Csrf,我遇到了一个奇怪的CSRF,我试图访问一个上传到rails服务器上的javascript文件。我有一个控制器,例如: class SomeController < ApplicationController def show some_path = "/some/js/file/on/disk.js" send_file(some_path, type: "text/javascript", disposition: :inline) end end 请注意,我直
class SomeController < ApplicationController
def show
some_path = "/some/js/file/on/disk.js"
send_file(some_path, type: "text/javascript", disposition: :inline)
end
end
请注意,我直接访问此页面,这意味着没有布局,因此我不能在布局中包含CSRF令牌
为了正确访问此资源,是否需要采取不同的措施
编辑:根据评论请求,我在下面添加了完整的跟踪
actionpack(4.2.6)
lib/action\u controller/metal/request\u forgery\u protection.rb:225:in
验证相同来源请求的activesupport(4.2.6)
lib/active\u support/callbacks.rb:432:in
在make\u lambda'
activesupport(4.2.6)lib/active_support/callbacks.rb:239:inblock in
停止'activesupport(4.2.6)lib/active_support/callbacks.rb:506:in
阻止调用“activesupport”(4.2.6)
lib/active_support/callbacks.rb:506:ineach'activesupport(4.2.6)
lib/active_support/callbacks.rb:506:in
call'activesupport(4.2.6)
lib/active\u support/callbacks.rb:92:in\u运行\u callbacks\u
activesupport(4.2.6)lib/active_support/callbacks.rb:778:in
\u运行\u流程\u操作\u回调的活动支持(4.2.6)
lib/active\u support/callbacks.rb:81:inrun\u callbacks'actionpack
(4.2.6)lib/abstract\u controller/callbacks.rb:19:in
process\u action'
actionpack(4.2.6)lib/action_controller/metal/rescue.rb:29:in
process_action'actionpack(4.2.6)
lib/action\u controller/metal/instrumentation.rb:32:in
block in
过程行动的主动支持(4.2.6)
lib/active_support/notifications.rb:164:inblock in instrument'
activesupport(4.2.6)
lib/active_support/notifications/instrumenter.rb:20:in
instrument'
activesupport(4.2.6)lib/active_support/notifications.rb:164:in
仪器的actionpack(4.2.6)
lib/action\u controller/metal/instrumentation.rb:30:in
process\u action'
actionpack(4.2.6)
lib/action\u controller/metal/params\u wrapper.rb:250:inprocess\u action'
activerecord(4.2.6)
lib/active\u record/railties/controller\u runtime.rb:18:in
process\u action'actionpack(4.2.6)
lib/abstract\u controller/base.rb:137:inprocess'actionview(4.2.6)
lib/action_view/rendering.rb:30:in
process'actionpack(4.2.6)
lib/action\u controller/metal.rb:196:indispatch'actionpack(4.2.6)
lib/action\u controller/metal/rack\u delegation.rb:13:in
dispatch'
actionpack(4.2.6)lib/action_controller/metal.rb:237:inblock in
“行动”行动包(4.2.6)
lib/action\u dispatch/routing/route\u set.rb:74:in
dispatch'actionpack
(4.2.6)lib/action\u dispatch/routing/route\u set.rb:43:inservice'
actionpack(4.2.6)lib/action_dispatch/journe/router.rb:43:in
块
服务中的行动包(4.2.6)
lib/action\u dispatch/journe/router.rb:30:ineach'actionpack(4.2.6)
lib/action\u dispatch/journe/router.rb:30:in
service'actionpack(4.2.6)
lib/action\u dispatch/routing/route\u set.rb:817:incall'项目符号(5.1.1)
lib/bullet/rack.rb:12:in
call'warden(1.2.6)
lib/warden/manager.rb:35:inblock in call'warden(1.2.6)
lib/warden/manager.rb:34:in
catch'warden(1.2.6)
lib/warden/manager.rb:34:incall'rack(1.6.4)lib/rack/etag.rb:24:in
call'rack(1.6.4)lib/rack/conditionalget.rb:25:incall'rack
(1.6.4)lib/rack/head.rb:13:in
call'actionpack(4.2.6)
lib/action\u dispatch/middleware/params\u parser.rb:27:incall'
actionpack(4.2.6)lib/action\u dispatch/middleware/flash.rb:260:in
调用'rack(1.6.4)lib/rack/session/abstract/id.rb:225:in上下文'
机架(1.6.4)lib/rack/session/abstract/id.rb:220:in
调用“actionpack”
(4.2.6)lib/action\u dispatch/middleware/cookies.rb:560:incall'
activerecord(4.2.6)lib/active\u record/query\u cache.rb:36:in
call'
activerecord(4.2.6)
lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in
call'activerecord(4.2.6)lib/active\u record/migration.rb:377:in
调用“actionpack”(4.2.6)
lib/action\u dispatch/middleware/callbacks.rb:29:inblock in call'
activesupport(4.2.6)lib/active_support/callbacks.rb:88:in
运行回调'activesupport(4.2.6)
lib/active\u support/callbacks.rb:778:in\u run\u callbacks'
activesupport(4.2.6)lib/active_support/callbacks.rb:81:in
run_callbacks'actionpack(4.2.6)
lib/action\u dispatch/middleware/callbacks.rb:27:incall'actionpack
(4.2.6)lib/action\u dispatch/middleware/reloader.rb:73:in
call'
actionpack(4.2.6)lib/action\u dispatch/middleware/remote\u ip.rb:78:in
调用actionpack(4.2.6)
lib/action\u dispatch/middleware/debug\u exceptions.rb:17:incall'
web控制台(2.3.0)lib/web_控制台/中间件。rb:28:inblock-in
调用“web控制台(2.3.0)lib/web_控制台/中间件。rb:18:in
catch”
web控制台(2.3.0)lib/web_控制台/中间件。rb:18:incall'
actionpack(4.2.6)
lib/action\u dispatch/middleware/show\u exceptions.rb:30:in
call'
railties(4.2.6)lib/rails/rack/logger.rb:38:incall_app'railties
(4.2.6)lib/rails/rack/logger.rb:20:in
block in调用“activesupport”
(4.2.6)lib/active_support/taged_logging.rb:68:inblock in taged'
activesupport(4.2.6)lib/active\u support/taged\u logging.rb:26:in
taged'activesupport(4.2.6)
lib/active_support/tagged_logging.rb:68:intagged'railties(4.2.6)
lib/rails/rack/logger.rb:20:in
call'quiet_资产(1.1.0)
lib/quiet\u assets.rb:27:incall\u with\u quiet\u assets的请求存储
(1.3.1)lib/request\u store/middleware.rb:9:in
call'actionpack(4.2.6)
lib/action\u dispatch/middleware/request\u id.rb:21:incall'机架(1.6.4)
lib/rack/methodoverride.rb:22:in
call'rack(1.6.4)
lib/rack/runtime.rb:18:incall'activesupport(4.2.6)
lib/active\u support/cache/strategy/local\u cache\u middleware.rb:28:in
if marked_for_same_origin_verification? && non_xhr_javascript_response?
logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
end
end
if request.format.js?
send_file(assetfilename, type: 'application/javascript')
else
send_file(assetfilename)
end
class SomeController < ApplicationController
skip_before_action :verify_authenticity_token, only: :show
def show
some_path = "/some/js/file/on/disk.js"
send_file(some_path, type: "text/javascript", disposition: :inline)
end
end
marked_for_same_origin_verification? && non_xhr_javascript_response?
# GET requests are checked for cross-origin JavaScript after rendering.
def mark_for_same_origin_verification!
@marked_for_same_origin_verification = request.get?
end
# If the `verify_authenticity_token` before_action ran, verify that
# JavaScript responses are only served to same-origin GET requests.
def marked_for_same_origin_verification?
@marked_for_same_origin_verification ||= false
end
def non_xhr_javascript_response?
content_type =~ %r(\Atext/javascript) && !request.xhr?
end
class SomeController < ApplicationController
def show
some_path = "/some/js/file/on/disk.js"
respond_to do |format|
format.js {
send_file(some_path, type: "text/javascript", disposition: :inline)
}
format.html {
"Html request from browser. Try sending a js request to get <Javascript>"
}
end
end
end
class SomeController < ApplicationController
protect_from_forgery except: :show
...
end