【发布时间】:2017-11-14 12:49:31
【问题描述】:
所以,对于我的生活,我无法弄清楚如何让大猩猩的 csrf 在不直接注入田地的情况下工作。它一直在谈论通过标头和 cookie 传递它,但我所做的一切似乎都不起作用……这是我的 go 服务器所拥有的:
`
package main
import (
"gorilla/mux"
"gorilla/csrf"
"net/http"
"log"
"encoding/json"
"http/template"
"time"
)
func showLoginPage(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Set-Cookie", "_gorilla_csrf="+csrf.Token(r))
templates.ExecuteTemplate(w, "<template_here>", nil)
}
func doLogin(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Set-Cookie", "_gorilla_csrf="+csrf.Token(r))
/**
builds resp
**/
w.Write(resp)
}
func main() {
r := mux.NewRouter()
r.HandleFunc("/login", showLoginPage).Methods("GET")
r.HandleFunc("/login", doLogin).Methods("POST")
r.PathPrefix("/js/").Handler(http.StripPrefix("/js/", http.FileServer(http.Dir("./js"))))
r.PathPrefix("/css/").Handler(http.StripPrefix("/css/", http.FileServer(http.Dir("./css"))))
srv := &http.Server{
Handler: csrf.Protect([]byte("very-secret-string"), csrf.Secure(false))(r),
Addr: "127.0.0.1:8000",
// Good practice: enforce timeouts for servers you create!
WriteTimeout: 15 * time.Second,
ReadTimeout: 15 * time.Second,
}
log.Fatal(srv.ListenAndServe())
}
`
然而,在我的前端我有这个,以便所有请求都得到更新: `
var getCookie = function(cname) {
var name = cname + "=";
var ca = document.cookie.split(';');
for (var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0) == ' ') c = c.substring(1);
if (c.indexOf(name) == 0) return c.substring(name.length, c.length);
}
return "";
};
$.ajaxPrefilter(function( options ) {
options.beforeSend = function (xhr) {
xhr.setRequestHeader('X-CSRF-Token', getCookie('_gorilla_csrf'));
}
});
`
我知道我必须遗漏一些东西,但我真的似乎根本无法理解这一点。任何帮助将不胜感激。
【问题讨论】:
标签: javascript jquery go gorilla