英文:
How do turn off printing the authenticity token (CSRF) in Rails 5.2?
问题
这个问题并不是在问如何在Rails应用中禁用检查真实性令牌(可以在控制器内使用skip_forgery_protection来实现),而是在问如何避免打印这些HTML标记:
<meta name="csrf-param" content="authenticity_token" />
<meta name="csrf-token" content="cpm9jpvGk5RYBjI4RSQXL4M9x/tRCGFNQyboLAOMQg44e3UCydZzhjeyJ5eJEXhswWLoC8zd1Ure0Us07AjC9w==" />
英文:
This question is not asking how to disable checking the authenticity token in the Rails app (that could be done using skip_forgery_protection inside the controller), but is asking how to avoid printing these HTML tags:
<meta name="csrf-param" content="authenticity_token" />
<meta name="csrf-token" content="cpm9jpvGk5RYBjI4RSQXL4M9x/tRCGFNQyboLAOMQg44e3UCydZzhjeyJ5eJEXhswWLoC8zd1Ure0Us07AjC9w==" />
答案1
得分: 1
这两个标签是由你的视图布局中的 <%= csrf_meta_tags %> 方法添加的。如果你移除这个方法调用,这些标签将不再添加到你的HTML头部。
然而,根据你在前端如何使用JavaScript,CSRF验证可能会在这种情况下中断,因为你可能需要这些 meta 标签来让JavaScript库随其请求发送CSRF令牌。
请参阅https://guides.rubyonrails.org/security.html#csrf-countermeasures以获取详细信息。
英文:
These two tags are added by the <%= csrf_meta_tags %> method in your view layout. If you remove this method call, the tags won't be added to your HTML head anymore.
However, depending on how you use JavaScript in your frontend, CSRF validation might break in this case as you may need the meta tags in order for JavaScript libraries to send a CSRF token with their requests.
See https://guides.rubyonrails.org/security.html#csrf-countermeasures for details.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论