堆栈内存溢出
  简体   繁体   English

为什么在发出跨域请求时会出现 403 被禁止 - 即使我的代码正在设置 CRSF cookie

[英]Why do I get 403 forbidden when making a cross-origin request — even though my code is setting a CRSF cookie

 原文  2021-04-01 08:12:27       django/ cookies/ axios/ csrf/ samesite

问题描述

I try to perform login + another POST request with axios and it seems that it works well if i use the same host ( ie localhost to localhost, or 127.0.0.1 to 127.0.0.1) but not when going from localhost -> 127.0.0.1 or vice versa.我尝试使用 axios 执行登录 + 另一个 POST 请求,如果我使用相同的主机(即 localhost 到 localhost,或 127.0.0.1 到 127.0.0.1)似乎效果很好,但从 localhost -> 127.0.0.1 时却不行或相反亦然。 Please assist me finding what am I missing in my configuration,请帮助我找出我的配置中缺少什么,

server settings:服务器设置:

ALLOWED_HOSTS = []

REMOVE_SLASH = True

CORS_ALLOW_CREDENTIALS = True

CORS_ORIGIN_WHITELIST = [
"http://localhost:8080",
"http://127.0.0.1:8080",
"http://localhost:19006",
"http://127.0.0.1:19006"
]

INSTALLED_APPS = [
'corsheaders',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework'
]

MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

client usage:客户端使用:

let APIKit = axios.create({
    withCredentials: true,
    baseURL: 'http://127.0.0.1:8000',
    timeout: 10000,
});

APIKit.post("/user?action=login", {...})

APIKit.get('/requests/')

Login succeeds but server sends new csrf token, which is ignored in axios as you can see in the following pictures, and thus receiving 403 Forbidden登录成功,但服务器发送新的 csrf 令牌,在 axios 中被忽略,如下图所示,因此收到 403 Forbidden 在此处输入图像描述

在此处输入图像描述

Login request headers登录请求标头

: true
Access-Control-Allow-Origin: http://localhost:19006
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie:  csrftoken=Huur0KQgFMtokszTOUa1gGaWJNODn8blYvjfEO2UGnuyN75hWy1cZLVTaND2ypZ9; expires=Thu, 31 Mar 2022 08:03:39 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie:  sessionid=r6alaupw0484mreqt8r4vlqe17hxdjsc; expires=Thu, 15 Apr 2021 08:03:39 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
POST /user?action=login HTTP/1.1
Host: 127.0.0.1:8000
Connection: keep-alive
Content-Length: 49
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://localhost:19006
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty

"requests" request headers “请求”请求标头

GET /requests/ HTTP/1.1
Host: 127.0.0.1:8000
Connection: keep-alive
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Origin: http://localhost:19006
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:19006/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,he;q=0.8,de;q=0.7

1 个解决方案

解决方案1
 1  2021-04-01 09:05:48

it seems that in my case there was a problem with a SameSite=Lax cookie, that caused the client not saving cookies.在我的情况下,SameSite=Lax cookie 似乎存在问题,导致客户端没有保存 cookies。 在此处输入图像描述

If you put the cursor on the alert icon, it actually says that Set-Cookie was blocked due to the SameSite=Lax;如果您将 cursor 放在警报图标上,它实际上表示 Set-Cookie 因 SameSite=Lax 而被阻止; Reading a bit about it led me to;读了一些关于它的信息让我明白了;

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite https://docs.djangoproject.com/en/3.1/ref/settings/ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite https://docs.djangoproject.com/en/3.1/ref/settings/

So, adding the following settings seems to solve it:因此,添加以下设置似乎可以解决它:

SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 发出 img 请求时的跨域读取阻塞 (CORB) 问题 - Cross-Origin Read Blocking (CORB) issue when making img request 使用AJAX进行POST请求时,为什么在Django中出现403 Forbidden错误? - Why am I getting a 403 Forbidden error in Django when I do a POST request with AJAX? 403 Forbidden CSRF cookie 即使在表单中也没有设置 - 403 Forbidden CSRF cookie not set even when it is in the form 为什么我的Dajaxice出现“ 403(禁止访问)”错误? - Why do I get a '403 (Forbidden)' error with Dajaxice? 跨域请求被阻止(Ionic + Django) - Cross-Origin Request Blocked (Ionic + Django) 跨域请求被阻止 Django 和反应 - Cross-Origin Request Blocked Django and React 使用 React(Django 后端)进行 axios 调用时出现 403 禁止请求 - 403 Forbidden request when making an axios call with React (Django backend) 在 Django 框架中发出 ajax Post 请求时出现 403 Forbidden 错误 - 403 Forbidden error when making an ajax Post request in Django framework Nginx 403即使设置了权限也被禁止 - Nginx 403 Forbidden Even After Setting The Permission 为什么我会收到参考错误:'next()' 未定义,即使我的 Javascript 中定义了 next? - Why do I get a Reference Error: 'next()' is not defined, even though next is defined in my Javascript?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM