This topic created in 4471 days ago, the information mentioned may be changed or developed.
Use of the CsrfResponseMiddleware is not recommended because of the performance hit it imposes, and because of a potential security problem (see below). It can be used as an interim measure until applications have been updated to use the csrf_token tag. It is deprecated and will be removed in Django 1.4.
jango在1.4以后的版本移除了'django.middleware.csrf.CsrfResponseMiddleware' 也就是说必须要在模板的form中加入{% csrf_token %} 。
那么请问如果这个form是从非网页post过来的(例如移动设备登陆时post用户名和密码)该怎么办?
10 replies • 1970-01-01 08:00:00 +08:00
 |
|
2
tamamaxox Feb 21, 2014 via Android
求解,Ajax需要csrf吗
|
 |
|
9
otakustay Feb 21, 2014
CSRF和ajax有必然联系吗,都说了是Request Forgery,请求肯定是伪造的,要伪造就不一定是通过AJAX这么单纯的一个手段了,什么浏览器的沙箱都挡不了
|
 |
|
10
ericls Feb 22, 2014
刚刚我也在弄这个
对于ajax(jquery)
需要在ajax前加上 就可
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
var csrftoken = getCookie('csrftoken');
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
$.ajaxSetup({
crossDomain: false, // obviates need for sameOrigin test
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type)) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
|
1
Select Language