我目前的设置是AngularJS + Django的1.5,我已经完全扔掉的使用Django的模板引擎(即后端是pretty的多的API服务器)。
由于我没有使用 csrf_token 模板标签,Django的,反过来,不设置并发送 csrftoken 响应的cookie。按照指示由官方文档中, ensure_csrf_cookie()装饰应采用强制饰以发送 csrftoken 饼干。
我已经申请了 ensure_csrf_cookie()装饰的视图,它提供了我的Web客户端的引导调用第一个GET请求。就这样,我的网络客户端获得一个保留的CSRF令牌,并从此被允许调用不安全的方法(例如POST)到服务器。
以上设置工作正常,只有当CSRF令牌保持不变,直到浏览会话结束。
问:是否Django的CSRF令牌获取浏览会话期间更新?如果是,这是否意味着我需要在 ensure_csrf_cookie()装饰适用于所有我有意见?
1)是否Django的CSRF令牌获取浏览会话期间更新?
看起来像 CSRF 令牌是每个会话唯一的,但它是基于我的观察,我也没有官方的来源。随着Angular.js我用下面的code没有问题:
angular.module('应用',...)
的.config(函数($ httpProvider){
VAR饼干= document.cookie.split(';');
VAR csrftoken = _.find(饼干,功能(五){
返回v.trim()的indexOf(csrftoken =')== 0。
});
如果(csrftoken){
$ httpProvider.defaults.headers.common ['的X CSRFToken'] = csrftoken.split('=')[1];
}
})
由于我所服务的HTML的Django的,由当时角白手起家的饼干已经存在。
2)如果是,这是否意味着我需要的ensure_csrf_cookie()装饰适用于所有我?
的意见您可以尝试 CORS 如果不是的 CSRF 。 奥托耀维护的 Django的CORS报头的包,这是众所周知的与REST框架API的正常工作。
部分(未测试)的想法适用 ensure_csrf_cookie():
ensure_csrf_cookie()来基类
My current setup is AngularJS + Django 1.5 and I have completely thrown away the use of Django's template engine (ie. the backend is pretty much an API server).
Since I am not using the csrf_token template tag, Django, in turn, does not set and send the csrftoken cookie in response. As instructed by the official docs, the ensure_csrf_cookie() decorator should be used to force the decorated view to send the csrftoken cookie.
I have applied the ensure_csrf_cookie() decorator to the view, which serves the first GET request that my web client calls at bootstrapping. With that, my web client gets a hold of the CSRF token and henceforth is allowed to call unsafe methods (ex. POST) to the server.
The above setup works fine only if the CSRF token remains the same until the browsing session ends.
Question: Does Django's CSRF token get updated during the course of a browsing session? If 'yes', does that mean I would need to apply the ensure_csrf_cookie() decorator to all the views I have?
1) Does Django's CSRF token get updated during the course of a browsing session?
Looks like the CSRF token is unique per session, but it is based in my observations, I have no "official" source. With Angular.js I use the following code without problems:
angular.module('app', ...)
.config(function($httpProvider) {
var cookies = document.cookie.split(';');
var csrftoken = _.find(cookies, function(v) {
return v.trim().indexOf('csrftoken=') == 0;
});
if(csrftoken) {
$httpProvider.defaults.headers.common['X-CSRFToken'] = csrftoken.split('=')[1];
}
})
Since I serve the HTML from Django, by the time Angular bootstraps the cookie is already there.
2) If 'yes', does that mean I would need to apply the ensure_csrf_cookie() decorator to all the views I have?
You can try CORS instead if CSRF. Otto Yiu maintains the django-cors-headers package, which is known to work correctly with REST framework APIs.
Some (untested) ideas to apply ensure_csrf_cookie():
ensure_csrf_cookie() to your base classes相关推荐
最新文章