[英]Why do I get 403 forbidden when making a cross-origin request — even though my code is setting a CRSF cookie
I try to perform login + another POST request with axios and it seems that it works well if i use the same host ( ie localhost to localhost, or 127.0.0.1 to 127.0.0.1) but not when going from localhost -> 127.0.0.1 or vice versa.我尝试使用 axios 执行登录 + 另一个 POST 请求,如果我使用相同的主机(即 localhost 到 localhost,或 127.0.0.1 到 127.0.0.1)似乎效果很好,但从 localhost -> 127.0.0.1 时却不行或相反亦然。 Please assist me finding what am I missing in my configuration,请帮助我找出我的配置中缺少什么,
ALLOWED_HOSTS = []
REMOVE_SLASH = True
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = [
"http://localhost:8080",
"http://127.0.0.1:8080",
"http://localhost:19006",
"http://127.0.0.1:19006"
]
INSTALLED_APPS = [
'corsheaders',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework'
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
let APIKit = axios.create({
withCredentials: true,
baseURL: 'http://127.0.0.1:8000',
timeout: 10000,
});
APIKit.post("/user?action=login", {...})
APIKit.get('/requests/')
Login succeeds but server sends new csrf token, which is ignored in axios as you can see in the following pictures, and thus receiving 403 Forbidden登录成功,但服务器发送新的 csrf 令牌,在 axios 中被忽略,如下图所示,因此收到 403 Forbidden
: true
Access-Control-Allow-Origin: http://localhost:19006
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie: csrftoken=Huur0KQgFMtokszTOUa1gGaWJNODn8blYvjfEO2UGnuyN75hWy1cZLVTaND2ypZ9; expires=Thu, 31 Mar 2022 08:03:39 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie: sessionid=r6alaupw0484mreqt8r4vlqe17hxdjsc; expires=Thu, 15 Apr 2021 08:03:39 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
POST /user?action=login HTTP/1.1
Host: 127.0.0.1:8000
Connection: keep-alive
Content-Length: 49
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://localhost:19006
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
GET /requests/ HTTP/1.1
Host: 127.0.0.1:8000
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Origin: http://localhost:19006
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:19006/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,he;q=0.8,de;q=0.7
it seems that in my case there was a problem with a SameSite=Lax cookie, that caused the client not saving cookies.在我的情况下,SameSite=Lax cookie 似乎存在问题,导致客户端没有保存 cookies。
If you put the cursor on the alert icon, it actually says that Set-Cookie was blocked due to the SameSite=Lax;如果您将 cursor 放在警报图标上,它实际上表示 Set-Cookie 因 SameSite=Lax 而被阻止; Reading a bit about it led me to;读了一些关于它的信息让我明白了;
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite https://docs.djangoproject.com/en/3.1/ref/settings/ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite https://docs.djangoproject.com/en/3.1/ref/settings/
So, adding the following settings seems to solve it:因此,添加以下设置似乎可以解决它:
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.