1.5.x 非网页发送的 form 如何通过 csrf 验证？

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

For Existing Member Sign In

› Django Project

› Django REST Framework

This topic created in 4447 days ago, the information mentioned may be changed or developed.

Use of the CsrfResponseMiddleware is not recommended because of the performance hit it imposes, and because of a potential security problem (see below). It can be used as an interim measure until applications have been updated to use the csrf_token tag. It is deprecated and will be removed in Django 1.4.

jango在1.4以后的版本移除了'django.middleware.csrf.CsrfResponseMiddleware' 也就是说必须要在模板的form中加入{% csrf_token %} 。

那么请问如果这个form是从非网页post过来的（例如移动设备登陆时post用户名和密码）该怎么办？

CSRF

form

token

10 replies • 1970-01-01 08:00:00 +08:00

Archangel_SDY

Feb 21, 2014

要么你先下发一个token给客户端，要么你就干脆禁掉这个View的CSRF：
https://docs.djangoproject.com/en/1.5/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt

tamamaxox

Feb 21, 2014 via Android

求解，Ajax需要csrf吗

Shieffan

Feb 21, 2014

@tamamaxox 不需要吧。

tamamaxox

Feb 21, 2014 via Android

@Shieffan 那不会被跨域吗

Shieffan

Feb 21, 2014

@tamamaxox 怎么跨域，你服务器没配置CORS的情况下，哪个能在其它网站上向你的站发起ajax请求

magine

Feb 21, 2014

@Archangel_SDY 额……在stackoverflow上找到的文档页面和你一样，太感谢了。

zhwei

Feb 21, 2014

/go/django

magine

Feb 21, 2014

@Archangel_SDY
setting.py的MIDDLEWARE_CLASSES中加上
django.middleware.csrf.CsrfViewMiddleware

view.py中对应的视图函数前加装饰器 @csrf_exempt

otakustay

Feb 21, 2014

CSRF和ajax有必然联系吗，都说了是Request Forgery，请求肯定是伪造的，要伪造就不一定是通过AJAX这么单纯的一个手段了，什么浏览器的沙箱都挡不了

ericls

Feb 22, 2014

刚刚我也在弄这个
对于ajax（jquery）
需要在ajax前加上就可

function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
var csrftoken = getCookie('csrftoken');

function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}

$.ajaxSetup({
crossDomain: false, // obviates need for sameOrigin test
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type)) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});