如何禁用jQuery的CSRF？

Question

I am testing a remote messaging service and I "believe" I am in need of disabling CSRF in jQuery for my initial remote test to be successful. 我正在测试远程消息传递服务，因此我“相信”我需要在jQuery中禁用CSRF才能使我的初始远程测试成功。

I have disabled CSRF in the Application Controller already. 我已经在应用程序控制器中禁用了CSRF。

If I send the POST through the application itself, the messaging works and I get the following output in my rails server log: 如果我通过应用程序本身发送POST，则消息传递有效，并且在Rails服务器日志中获得以下输出：

Started POST "/messages" for 127.0.0.1 at 2011-05-07 10:49:29 -0400 在2011-05-07 10:49:29 -0400在127.0.0.1中启动了POST“ / messages”
Processing by MessagesController#create as JS 由MessagesController＃create作为JS处理
Parameters: {"utf8"=>"✓", "authenticity_token"=>"xxx", "message"=>{"content"=>"damn"}, "commit"=>"Send"} 参数：{“ utf8” =>“✓”，“ authenticity_token” =>“ xxx”，“ message” => {“ content” =>“ damn”}，“ commit” =>“ Send”}
SQL (0.1ms) SELECT name SQL（0.1ms）SELECT名称
FROM sqlite_master 来自sqlite_master
WHERE type = 'table' AND NOT name = 'sqlite_sequence' 类型='表格'而不是名称='sqlite_sequence'

AREL (0.5ms) INSERT INTO "messages" ("content", "created_at", "updated_at") VALUES ('damn', '2011-05-07 14:49:29.887582', '2011-05-07 14:49:29.887582') Rendered messages/_message.html.erb (3.6ms) Rendered messages/create.js.erb (8.2ms) Completed 200 OK in 133ms (Views: 17.0ms | ActiveRecord: 0.6ms) AREL（0.5ms）插入“消息”（“内容”，“ created_at”，“ updated_at”）值（“该死”，“ 2011-05-07 14：49：29.887582”，“ 2011-05-07 14”）： 49：29.887582'）呈现的messages / _message.html.erb（3.6ms）呈现的message / create.js.erb（8.2ms）在133ms内完成200 OK（查看：17.0ms | ActiveRecord：0.6ms）

If I send the following POST command via cURL, I get this output: 如果我通过cURL发送以下POST命令，则会得到以下输出：

    curl -X POST -d 'message={"content":"lololol", "commit":"Send"}' http://localhost:3000/messages

Started POST "/messages" for 127.0.0.1 at 2011-05-07 10:54:15 -0400 在2011-05-07 10:54:15 -0400为127.0.0.1开始发布POST“ / messages”
Processing by MessagesController#create as 由MessagesController＃create处理为
Parameters: {"message"=>"{\\"content\\":\\"lololol\\", \\"commit\\":\\"Send\\"}"} 参数：{“ message” =>“ {\\” content \\“：\\” lololol \\“，\\” commit \\“：\\” Send \\“}”}
AREL (0.3ms) INSERT INTO "messages" ("content", "created_at", "updated_at") VALUES (NULL, '2011-05-07 14:54:15.934156', '2011-05-07 14:54:15.934156') AREL（0.3ms）插入“消息”（“内容”，“ created_at”，“ updated_at”））值（NULL，'2011-05-07 14：54：15.934156'，'2011-05-07 14:54： 15.934156'）
Rendered messages/_message.html.erb (0.5ms) 呈现的messages / _message.html.erb（0.5ms）
Rendered messages/create.js.erb (4.2ms) 呈现的messages / create.js.erb（4.2ms）
Completed 200 OK in 309ms (Views: 28.1ms | ActiveRecord: 0.3ms) 在309毫秒内完成200 OK（查看：28.1毫秒| ActiveRecord：0.3毫秒）

I can see a blank entry on my page with a timestamp of when I run the cURL command and a record is being created in the database with everything but the content. 我可以在页面上看到一个空白条目，上面带有时间戳记，表示我何时运行cURL命令，并且正在数据库中创建除内容以外的所有内容的记录。

Is it safe to assume the reason for this is due to the CSRF in jQuery not allowing the content to get published? 是否可以安全地假设其原因是由于jQuery中的CSRF不允许发布内容？ If so, how do I disable it? 如果是这样，如何禁用它？ Or am POSTing it wrong with cURL? 还是用cURL发布错误？ or a mixture of both? 还是两者的混合物？

Thank you in advance for any help. 预先感谢您的任何帮助。

Answer 1

Your POST is wrong. 您的POST错误。 The right syntax is: 正确的语法是：

curl -X POST -d 'message[content]=lololol&commit=Send' http://localhost:3000/messages

CSRF protection wouldn't change the params. CSRF保护不会改变参数。 By default, when CSRF verification fails, Rails only resets the session (see the source of handle_unverified_request ). 默认情况下，当CSRF验证失败时，Rails仅重置会话（请参见handle_unverified_request的源）。

如何禁用jQuery的CSRF？

问题描述

1 个解决方案

解决方案1
0 已采纳 2011-05-07 16:04:47

如何禁用jQuery的CSRF？

问题描述

1 个解决方案

解决方案1 0 已采纳 2011-05-07 16:04:47

解决方案1
0 已采纳 2011-05-07 16:04:47