如何在Rails 5.2中关闭打印身份验证令牌(CSRF)?

huangapple go评论68阅读模式
英文:

How do turn off printing the authenticity token (CSRF) in Rails 5.2?

问题

这个问题并不是在问如何在Rails应用中禁用检查真实性令牌(可以在控制器内使用skip_forgery_protection来实现),而是在问如何避免打印这些HTML标记:

<meta name="csrf-param" content="authenticity_token" />
<meta name="csrf-token" content="cpm9jpvGk5RYBjI4RSQXL4M9x/tRCGFNQyboLAOMQg44e3UCydZzhjeyJ5eJEXhswWLoC8zd1Ure0Us07AjC9w==" />
英文:

This question is not asking how to disable checking the authenticity token in the Rails app (that could be done using skip_forgery_protection inside the controller), but is asking how to avoid printing these HTML tags:

&lt;meta name=&quot;csrf-param&quot; content=&quot;authenticity_token&quot; /&gt;
&lt;meta name=&quot;csrf-token&quot; content=&quot;cpm9jpvGk5RYBjI4RSQXL4M9x/tRCGFNQyboLAOMQg44e3UCydZzhjeyJ5eJEXhswWLoC8zd1Ure0Us07AjC9w==&quot; /&gt;

答案1

得分: 1

这两个标签是由你的视图布局中的 &lt;%= csrf_meta_tags %&gt; 方法添加的。如果你移除这个方法调用,这些标签将不再添加到你的HTML头部。

然而,根据你在前端如何使用JavaScript,CSRF验证可能会在这种情况下中断,因为你可能需要这些 meta 标签来让JavaScript库随其请求发送CSRF令牌。

请参阅https://guides.rubyonrails.org/security.html#csrf-countermeasures以获取详细信息。

英文:

These two tags are added by the &lt;%= csrf_meta_tags %&gt; method in your view layout. If you remove this method call, the tags won't be added to your HTML head anymore.

However, depending on how you use JavaScript in your frontend, CSRF validation might break in this case as you may need the meta tags in order for JavaScript libraries to send a CSRF token with their requests.

See https://guides.rubyonrails.org/security.html#csrf-countermeasures for details.

huangapple
  • 本文由 发表于 2023年5月25日 02:42:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/76326532.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定