堆栈内存溢出
  简体   繁体   English

React / CSRF:不使用表单和隐藏的输入值而传回CSRF令牌

[英]React/CSRF: Passing Back CSRF tokens without using forms and hidden input values

 原文  2016-04-30 23:45:00       ajax/ node.js/ security/ reactjs/ csrf

问题描述

React: ^0.14.X 反应:^ 0.14.X

Sanity Check - It's common in React to build custom input components that use ajax and since tokens are passed to clients as a part of state I can imagine with React the need to use forms and hidden input values to pass csrf tokens is a step that can be skipped altogether , but when EVERYBODY on Github still building React apps that use forms and hidden input values- you start think there has to be some magicial reason why. 完整性检查-在React中通常会构建使用ajax的自定义输入组件,并且由于令牌是作为状态的一部分传递给客户端的, 我可以用React想象到,需要使用表单和隐藏的输入值来传递csrf令牌是被完全跳过了 ,但是当Github上的EVERYBODY仍在构建使用表单和隐藏输入值的React应用程序时,您开始认为必须有一些神奇的原因。

Now I know forms and hidden input values is how it is suggested to be handled in Node/SPA applications... 现在我知道表单和隐藏的输入值是建议在Node / SPA应用程序中处理的方式...

... but with React I don't see a reason for the CSRF token to ever touch the DOM(where I guess it would be susceptible to being stole), but rather just accessed from the component's state and pass it along whenever a submission is made. ...但是使用React我没有看到CSRF令牌曾经接触DOM的原因(我认为它很容易被盗),而是从组件的状态进行访问,并在每次提交时将其传递制造。

For example this Login Component that passes the csrf out from component state(to be handled later by ajax). 例如,此登录组件将csrf从组件状态传递出去(稍后由ajax处理)。 

var Login = React.createClass({

  getInitialState: function() {
    return{
      csrf: this.props.csrf,
      email:'',
      password: ''
    }
  },

  onEmailChange: function(event) {
    this.setState({email: event.target.value});
  },

  onPasswordChange: function(event) {
    this.setState({password: event.target.value});
  },

  onSubmit: function() {
    ActionCreators.login(this.state.email, this.state.password,this.state.csrf); 
  },

  render: function(){

    return (

        <div className="login-block">
            <input type="text" placeholder="Email" id="input" onChange={this.onEmailChange}/>
            <input type="password" placeholder="Password" id="input" onChange={this.onPasswordChange}/>
            <button onClick={this.onSubmit}>Submit</button>
        </div>

    )
  }

});

Question: Is there some sort of vuneribility that the code above would cause in my application that I should consider using a form and a hidden input value? 问题:上面的代码是否会在我的应用程序中引起某种形式的漏洞,我应该考虑使用表单和隐藏的输入值?

1 个解决方案

解决方案1
 0  2016-05-01 01:19:18

I don't think so, I think its just a hold-over from pre-SPA days. 我不这么认为,我认为这只是SPA之前的保留。 Maybe actually with an SPA you would ideally want to get new CSRF tokens somehow after every state change, like an AJAX request or websocket request, which wouldn't be possible if you were using a form that wasn't being refreshed. 也许实际上是使用SPA,理想情况下,您希望在每次状态更改后都以某种方式获得新的CSRF令牌,例如AJAX请求或Websocket请求,如果您使用的是未刷新的表单,则不可能。 In our app actually the CSRF token is sent via some var csrftokenblah = that is written by the EJS template rendering. 实际上,在我们的应用中,CSRF令牌是通过EJS模板渲染所编写的var csrftokenblah =发送的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 没有表格的Django CSRF令牌 - Django CSRF Token without forms CSRF 令牌和 Codeigniter 3 - CSRF Tokens and Codeigniter 3 Codeigniter 3 多个 forms 与 ajax 和 csrf 令牌仅在一种形式上工作 - Codeigniter 3 multiple forms with ajax and csrf tokens working on one form only 具有多种形式的CSRF令牌 - CSRF token with multiple forms 传递CSRF令牌 - Passing a CSRF token 在没有提交按钮的情况下对ajax请求和表单上的CSRF进行保护 - protecting against CSRF on ajax requests and forms without submit buttons 使用AJAX GET在缓存页面中生成CSRF保护表单 - Using AJAX GET to generate CSRF protected forms in a cached page Symfony 2 - 删除表单和 CSRF 令牌 - Symfony 2 - Delete Forms and CSRF Token laravel显示了导致令牌不匹配的旧CSRF令牌 - laravel shows old CSRF tokens resulting in a tokenmismatchException 登录后是否需要csrf令牌? - Do I need csrf tokens after login?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM