我试图将一个非ssl包装的页面提交到一个ssl包装的页面,但是我收到这个错误。
CSRF验证失败。请求中止。 失败原因:引用者检查失败 - http://< domain> /不匹配https://< domain> /。也就是说,我正在尝试向登录方法提交用户名/密码页面。 >
如果没有收到此错误,我该怎么办?
感谢 ERic
解决方案如果你认为它是安全的,这里是如何具体免除了普通视图的CSRF检查。
然而,我假设你在谈论 contrib.auth 视图,那么您可能必须编写自己的自定义版本并应用 @csrf_exempt 装饰器,而不是强制它(即,复制,粘贴,更改装饰器)上的方法 - 它不像听起来那么痛苦)。
绝对最坏的情况,大锤到裂纹坚果解决方案:强制禁用CSRF总共,对于所有视图,甚至 django.contrib。* 试图强制执行CSRF。上行是你不必黑客/ fork contrib模块;不利的是 - 没有CSRF ...
I am trying to submit a non-ssl wrapped page to an ssl wrapped page, but I get this error.
CSRF verification failed. Request aborted. Reason given for failure: Referer checking failed - <domain>/ does not match <domain>/.That is, I am trying to submit a username/password page to the login method.
How can I do this without getting this error?
Thanks ERic
解决方案If you consider it to be safe, here's how to specifically exempt a normal view from CSRF checking.
However, I'm assuming you're talking about the contrib.auth views, then you may have to write your own custom version and apply the @csrf_exempt decorator instead of the one that enforces it (ie, copy, paste, change decorator on the method - it's not as painful as it sounds).
Absolutely worst-case, sledgehammer-to-crack-nut solution: force-disable CSRF altogether, for all views, even django.contrib.* ones that try to enforce CSRF. Upside is you don't have to hack/fork contrib modules; downside is - well - no CSRF...
更多推荐
Django:CSRF验证失败
发布评论