生产中的CSRF错误:ActionController :: InvalidCrossOriginRequest
[英]CSRF Error in Production: ActionController::InvalidCrossOriginRequest
问题描述
I am getting the following error on my comments controller in my production environments only (works fine in development). 
我仅在生产环境中的注释控制器上收到以下错误(在开发中工作正常)。 The user flow is as follows: I have jQuery that runs when a specific button is pushed which renders a partial file to add a new comment, a simple form. 用户流程如下:我有一个jQuery,当按下特定按钮时该jQuery将运行,该按钮呈现部分文件以添加新注释(一种简单形式)。 The respond_to method for the .js request in the controller is for new.js.erb file. 控制器中.js请求的response_to方法用于new.js.erb文件。 This should be relatively easy to do but something is going wrong in the Rails (I am using Rails 4.1.1) code or on my server (Rackspace Cloud Server). 这应该相对容易做到,但是Rails(我正在使用Rails 4.1.1)代码或我的服务器(Rackspace Cloud Server)上出现了问题。 The error is below: 错误如下:
ActionController::InvalidCrossOriginRequest in CommentsController#new Security warning: an embedded tag on another site requested protected JavaScript. CommentsController#new中的ActionController :: InvalidCrossOriginRequest安全警告:另一个网站上的嵌入式标记请求受保护的JavaScript。 If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding. 如果您知道自己在做什么,请继续对此操作禁用伪造保护,以允许跨域JavaScript嵌入。
I have tried the following code in my comments controller (does not work). 我已经在我的注释控制器中尝试了以下代码(不起作用)。 It simply renders the .js file in the browser as a text string (javascript does not work). 它只是在浏览器中将.js文件呈现为文本字符串(javascript不起作用)。
protect_from_forgery except: :new
skip_before_action :verify_authenticity_token
I have tried removing the protect_from_forgery with: :exception method in the application_controller.rb file but it does not work (just renders the javascript in the browser as a text string). 我尝试用application_controller.rb文件中的:: exception方法删除protect_from_forgery,但是它不起作用(只是将JavaScript在浏览器中呈现为文本字符串)。
I have tried replacing "protect_from_forgery with: :exception" with "protect_from_forgery with: :null_session" and this does not work either (gives the same InvalidCrossOriginRequest error above). 我试过用“ protect_from_forgery with::null_session”替换“ protect:from :: exception”,但这也不起作用(给出与上面相同的InvalidCrossOriginRequest错误)。
I am running out of options to fix this. 我没有办法解决此问题。 Again, it's only happening in production. 同样,它仅在生产中发生。 On my local machine (via localhost), everything works fine. 在我的本地计算机上(通过localhost),一切正常。 The code for my comments controller is below: 我的评论控制器的代码如下:
class CommentsController < ApplicationController
# before_action :set_comment, only: [:show, :edit, :update, :destroy]
before_action :load_topic
before_action :authenticate_user!
# protect_from_forgery except: :new
# skip_before_action :verify_authenticity_token
# GET /comments
# GET /comments.json
def index
@comments = Comment.all
end
# GET /comments/1
# GET /comments/1.json
def show
end
# GET /comments/new
def new
@comment = Comment.new
end
# GET /comments/1/edit
def edit
end
# POST /comments
# POST /comments.json
def create
@comment = @topic.comments.new(comment_params)
@comment.user_id = current_user.id
respond_to do |format|
if @comment.save
format.html { redirect_to @topic, notice: 'Comment was successfully created.' }
format.json { render :show, status: :created, location: @comment }
format.js
else
format.html { redirect_to @article, alert: 'Unable to add comment' }
format.json { render json: @comment.errors, status: :unprocessable_entity }
format.js { render 'fail_create.js.erb'}
end
end
end
# PATCH/PUT /comments/1
# PATCH/PUT /comments/1.json
def update
respond_to do |format|
if @comment.update(comment_params)
format.html { redirect_to @comment, notice: 'Comment was successfully updated.' }
format.json { render :show, status: :ok, location: @comment }
else
format.html { render :edit }
format.json { render json: @comment.errors, status: :unprocessable_entity }
end
end
end
# DELETE /comments/1
# DELETE /comments/1.json
def destroy
@comment = @topic.comments.find(params[:id])
@comment.destroy
respond_to do |format|
format.html { redirect_to @topic, notice: 'Comment was successfully deleted.' }
format.json { head :no_content }
format.js
end
end
private
def load_topic
@topic = Topic.find(params[:topic_id])
end
# Use callbacks to share common setup or constraints between actions.
def set_comment
@comment = Comment.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def comment_params
params.require(:comment).permit(:topic_id, :body, :name)
end
end
Any advice on fixing this issue would be appreciated. 任何有关解决此问题的建议将不胜感激。
1 个解决方案
解决方案1
1 2014-12-15 08:53:34
Has this actually happened to real users or are you only seeing this error in your logs/monitoring? 这是否真的发生在真实用户上,还是您仅在日志/监控中看到此错误?
This error tends to happen when crawlers are visiting your site (which obviously doesn't happen in your development environment). 当抓取工具访问您的网站时,通常会发生此错误(在您的开发环境中显然不会发生)。
The documentation is suggesting you add these to your controller action: 该文档建议您将这些添加到控制器操作中:
skip_before_action :verify_authenticity_token, if: :json_request?
protected
def json_request?
request.format.json?
end
However, if this is not the case, I think you actually have a CORS problem. 但是,如果不是这种情况,我认为您实际上有一个CORS问题。 2 possible reasons: 2个可能的原因:
- Is your site available via HTTP and HTTPS? 您的网站可以通过HTTP和HTTPS访问吗? These are different origins! 这些是不同的起源!
- Do you have multiple domains running this site? 您有多个域运行此站点吗? Try to inspect/log the request headers and see if there is any difference in the Origins. 尝试检查/记录请求标头,以查看起源之间是否存在任何差异。
You can try reproducing this in development too, if you edit your hosts file and point a domain to your local server. 如果您编辑主机文件并将域指向本地服务器,则也可以尝试在开发中重现此内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.