您的位置: 首页  >  技术问答  >  针对CSRF基于保护的prototype.js XHR请求

针对CSRF基于保护的prototype.js XHR请求

分类: 技术问答 2022-04-20 23:49:48
问题描述:

Django的已经更新到1.3,而事实上自从1.2.5,它扩展了方案,跨站请求伪造保护令牌传递到XMLHtt prequests。 Django的人提供有益 jQuery的一个例子,以应用每一个XHR特定的头。

Django has been updated to 1.3, and in fact ever since 1.2.5, it has extended the scheme to pass a Cross Site Request Forgery protection token to XMLHttpRequests. The Django folks helpfully provide an example for jQuery to apply a specific header to every XHR.

原型(因此Scriptaculous的)必须遵守该方案,但我不能找到一种方法来告诉原型添加X-CSRFToken头。最好是在它适用于整个应用程序(如jQuery的)的方式做一次。

Prototype (and thus Scriptaculous) have to comply to this scheme, yet I can't find a way to tell prototype to add the X-CSRFToken header. The best would be to do it once in a way that applies it across the app (like for jQuery).

有没有办法做到这一点?

Is there a way to do that?

这是胡乱猜测,但你可以尝试的延长基AJAX类...

This is a wild guess but you could try extending the base AJAX class...

Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap(
    function (callOriginal, options) {
        var headers = options.requestHeaders || {};
        headers["X-CSRFToken"] = getCookie("csrftoken");
        options.requestHeaders = headers;
        return callOriginal(options);
    }
);

相关推荐