【发布时间】:2019-08-17 08:05:06
【问题描述】:
我发现六年前,之前的开发者注释掉了这行代码(Ruby、Rails):
#protect_from_forgery
我将其替换为默认值:
protect_from_forgery with: :exception
现在,当我在注销时尝试将商品添加到购物车时,神秘地出现以下错误:
Access to XMLHttpRequest at 'https://id.foo-staging.com/openid/checklogin?return_to=http%3A%2F%2Flocalhost.foo-staging.com%3A3000%2Fcart%2Fitems' (redirected from 'http://localhost.foo-staging.com:3000/cart/items') from origin 'http://localhost.foo-staging.com:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
我已经确定这是因为以下几行:
def get_user_identity_from_open_id_server
redirect_to "#{OPEN_ID_PROVIDER_URL}/openid/checklogin?return_to=#{Rack::Utils.escape(request.url)}"
end
def open_id_authentication
#stuff
get_user_identity_from_open_id_server
end
before_filter :open_id_authentication
感谢文档,我非常了解导致预检请求的原因。但我不认为我在做任何这些事情。
* the request method is anything other than GET, HEAD, or POST
* you’ve set custom request headers other than Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, or Width
* the Content-Type request header has a value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain
所以我最初的问题是如何确定触发预检请求的原因,然后也许我可以弄清楚如何防止它发生。这是一种我可以改变的情况,还是需要在 id.foo-staging.com 上改变一些东西(我无权访问,但可能会要求合适的人为我修复它)。
我整天都在谷歌上搜索,但对我来说似乎没有任何意义,尤其是因为我无法准确找出问题所在。
我可以用这段代码解决这个问题:
skip_before_filter :open_id_authentication, :only => [:create], :if => :current_user and :anonymous_cart
但从安全的角度来看,我必须假设这是不安全的?
ETA:这是我在 Network 选项卡上看到的此请求:
一般:
Request URL: https://id.foo-staging.com/openid/checklogin?return_to=http%3A%2F%2Flocalhost.foo-staging.com%3A3000%2Fcart%2Fitems
Referrer Policy: no-referrer-when-downgrade
请求标头:
Provisional headers are shown
Access-Control-Request-Headers: x-requested-with
Access-Control-Request-Method: GET
Origin: http://localhost.foo-staging.com:3000
Referer: http://localhost.foo-staging.com:3000/p/Product0/1?id=1&slug=Product0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
查询字符串参数:
return_to: http://localhost.foo-staging.com:3000/cart/items
我认为问题是x-requested-with 请求标头。但我不知道如何解决这个问题。
EATA:
Many JavaScript frameworks such as JQuery will automatically send this header along with any AJAX requests. This header cannot be sent cross-domain:
我想我唯一的选择是弄清楚如何在没有 AJAX 的情况下重写它?
【问题讨论】:
-
要确定是什么触发了预检请求,请使用浏览器开发工具中的网络窗格检查 OPTIONS 请求并查看 Access-Control-Request-Headers 请求标头的值。
标签: ruby-on-rails cors csrf-protection