Rails 6中的protect_from_forgery?

问题描述 投票:2回答:1

protect_from_forgery方法不包含在我的应用程序控制器中,带有默认的Rails 6应用程序,但主应用程序布局中有嵌入式ruby <%= csrf_meta_tags %>。这是否意味着protect_from_forgery方法已被抽象,并且在应用程序控制器中不再明确需要?

我已经购买了Pragmatic Programmer的Rails 6书,我唯一能找到的就是“csrf_meta_tags()方法设置了防止跨站点请求伪造攻击所需的所有幕后数据”。

ruby-on-rails ruby csrf csrf-token
1个回答
2
投票

对于rails,在ActionController :: Base上默认启用5.2及更高版本。看看这个提交:https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55


*   Protect from forgery by default

    Rather than protecting from forgery in the generated ApplicationController,
    add it to ActionController::Base depending on
    `config.action_controller.default_protect_from_forgery`. This configuration
    defaults to false to support older versions which have removed it from their
    ApplicationController, but is set to true for Rails 5.2.

官方文档:https://edgeguides.rubyonrails.org/configuring.html

config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
© www.soinside.com 2019 - 2024. All rights reserved.