关闭Web服务的Rails 2中的真实性令牌?
[英]Turning off authenticity token in Rails 2 for web services?
问题描述
它不仅可以在HTML中填写表单,还可以发送包含参数的发布请求。例如,如果将Accept标志设置为'application / JSON',是否可以关闭真实性标记在HTTP标头?
3 个解决方案
解决方案1
7 已采纳 2008-12-08 16:02:59
The request forgery protection works on the basis of checking the content-type of requests and it only checks the requests that can be made by a browser. 
伪造保护请求的工作原理是检查请求的内容类型,并且只检查浏览器可以发出的请求。 No browser is able to generate a request with the content-type set to "application/json" for example. 例如,没有浏览器能够生成内容类型设置为“application / json”的请求。 That's why the rails forgery protection routine won't check it. 这就是为什么导轨防伪程序不会检查它。 So, if you want to make a json request to your application, set the content-type header to "application/json" and it should work. 因此,如果要向应用程序发出json请求,请将content-type标头设置为“application / json”,它应该可以正常工作。
解决方案2
1 2008-12-08 11:24:30
I know there is a way to turn it off for a controller or an action. 我知道有一种方法可以为控制器或动作关闭它。 Not sure about the content type. 不确定内容类型。 Wouldn't it be easier to just add the authenticity token to every json request? 将真实性标记添加到每个json请求会不会更容易? There are quite few articles around the web how to do it (for example here and here ). 网上有很少的文章如何做(例如这里和这里 )。
解决方案3
-1 2008-12-08 14:17:13
Wouldn't it be easier to just add the authenticity token to every json request?
Yes, but then the client would have to send a request first just to get the token and then another with the actual POST request, which does not make sense IMHO.. 是的,但是然后客户端必须首先发送请求才能获得令牌,然后另一个请求实际的POST请求,这是没有意义的恕我直言..
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.