使用AWS JS SDK时,请求标头不包含HTTP_X_CSRF_TOKEN
[英]Request header does not include HTTP_X_CSRF_TOKEN when using AWS JS SDK
问题描述
I have a Rails application where I can post answers to questions via ajax, it works fine, however, I have added the aws-js-sdk script to be able to upload images in my answer from the browser, the image will be uploaded to s3 which sends back the url of the newly uploaded image in a callback, then I save the answer. 
我有一个Rails应用程序,我可以通过ajax发布问题的答案,它工作正常,但是,我添加了aws-js-sdk脚本,以便能够从浏览器上传我的答案中的图像,图像将上传到s3在回调中发回新上传图像的url,然后保存答案。
I included the library like this : 我把这个库包括在内:
<%= javascript_include_tag "//sdk.amazonaws.com/js/aws-sdk-2.1.12.min.js" %>
Expected behaviour : when I submit an answer with an image, the request header should include HTTP_X_CSRF_TOKEN to verify the form is submitted from within my website. 预期行为 :当我使用图像提交答案时,请求标头应包含HTTP_X_CSRF_TOKEN以验证表单是否在我的网站内提交。
Problem : request header does not include HTTP_X_CSRF_TOKEN , which is leading to the error ActionController::InvalidAuthenticityToken 问题 :请求标头不包含HTTP_X_CSRF_TOKEN ,这导致错误ActionController::InvalidAuthenticityToken
1 个解决方案
解决方案1
1 2017-10-29 20:36:11
The authenticity token is not set in the header. 标头中未设置真实性标记。 It is set as a hidden field in the form tag, like this: 它被设置为表单标记中的隐藏字段,如下所示:
<form class="edit_user" id="edit_user_6" action="/users/6/set_facilitator" accept-charset="UTF-8" data-remote="true" method="post">
<input name="utf8" type="hidden" value="✓">
<input type="hidden" name="_method" value="patch">
<input type="hidden" name="authenticity_token" value="yrr7gWaLmE8ul4s0JcNmAU6H0YB+c7YR/8yCE7it+cRlG9lfdejTSFT7bhydWEQPSqv2E7gVPQ++9mvfJDfJeA==">
<select class="form-control" data-submit="true" name="user[facilitator_id]" id="user_facilitator_id">
When you submit the form via AJAX, the authenticity_token is submitted too, as a parameter. 当您通过AJAX提交表单时,也会提交authenticity_token作为参数。
Parameters: {"utf8"=>"√", "authenticity_token"=>"vcvY+cRQC0oM99l5+BFHu6GShPAedugTP1jRqXCxRa3bVGFLjLSVbMFk78aR5N0ol1WOu1noAo/GF6B67PSk6Q==", ...}
I don't know how the S3 gem works, but if it submits directly to Amazon, then it won't use authenticity tokens. 我不知道S3 gem如何工作,但如果它直接提交给亚马逊,那么它将不会使用真实性令牌。 Amazon has no way to know the secret key of your rails app on your server. 亚马逊无法知道您服务器上的rails应用程序的密钥。 Show us the HTML code that is generated to see if the S3 gem creates a separate form that is outside of your main form, or if it tries to embed a <form> within another <form> , which is invalid HTML. 我们展示其被生成以查看是否S3宝石创建一个单独的形式,是你的主要形式外的HTML代码,或者如果它试图嵌入<form>另一个内<form>这是无效的HTML。
If you want, you can turn off token checks in your controller with this line: 如果需要,可以使用以下行关闭控制器中的令牌检查:
protect_from_forgery :except => :action_method
See docs here: http://guides.rubyonrails.org/v5.0/working_with_javascript_in_rails.html#form-for and here http://guides.rubyonrails.org/v5.0/security.html#csrf-countermeasures 请参阅此处的文档: http : //guides.rubyonrails.org/v5.0/working_with_javascript_in_rails.html#form-for和http://guides.rubyonrails.org/v5.0/security.html#csrf-countermeasures
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.