从CSS更改为SASS后,CSRF失败

时间:2019-01-15 07:42:05

标签: playframework

我有一个有效的登录页面。它使用在public/stylesheets/main.css中定义的静态CSS文件。如果我将其替换为包含app/assets/stylesheets/login.scss中包含相同内容的SCSS文件,则随后的登录表单提交将失败。

这是唯一的更改。我可以来回切换以启用/禁用该错误。

登录失败时,应用程序控制台将报告:

[warn] p.filters.CSRF - [CSRF] Check failed because no or invalid token found in body for /doLogin
[warn] p.filters.CSRF - [CSRF] Check failed with NoTokenInBody for /doLogin

为什么简单地从CSS更改为SASS会导致这种情况发生?

SASS资源的链接定义为:

<link rel="stylesheet" media="screen" href="@routes.Assets.versioned("stylesheets/login.css")">

请求的标头为:

Request URL: http://localhost:9000/assets/stylesheets/login.css
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:9000
Referrer Policy: strict-origin-when-cross-origin
Accept-Ranges: bytes
Cache-Control: no-cache
Content-Length: 2034
Content-Type: text/css; charset=UTF-8
Date: Tue, 15 Jan 2019 07:29:36 GMT
ETag: "c8bf6b96b934ae8cb15ef9254a2cb297919d355b"
Last-Modified: Tue, 15 Jan 2019 07:25:41 GMT
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Cookie: io=enFa_S7ur5LyuECLAAAC; PLAY_SESSION=eyJhbGciOiJIUzI1NiJ9...; auth_token=f376f49d-458b-48d8-a24d-574369452bb8; Idea-598843d6=026001dd-840c-4472-a6af-d744594b09c3; luxe-session=eyJhbGciOiJIUzI1NiJ9....
DNT: 1
Host: localhost:9000
Pragma: no-cache
Referer: http://localhost:9000/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) ...

登录失败的标头为:

Request URL: http://localhost:9000/doLogin
Request Method: POST
Status Code: 403 Forbidden
Remote Address: [::1]:9000
Referrer Policy: strict-origin-when-cross-origin
Content-Length: 1128
Content-Type: text/html; charset=UTF-8
Date: Tue, 15 Jan 2019 07:31:40 GMT
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 117
Content-Type: application/x-www-form-urlencoded
Cookie: io=enFa_S7ur5LyuECLAAAC; PLAY_SESSION=eyJhbGciOiJIUzI1NiJ9...; auth_token=f376f49d-458b-48d8-a24d-574369452bb8; Idea-598843d6=026001dd-840c-4472-a6af-d744594b09c3; luxe-session=eyJhbGciOiJIUzI1NiJ9...
DNT: 1
Host: localhost:9000
Origin: http://localhost:9000
Pragma: no-cache
Referer: http://localhost:9000/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) ...
csrfToken: 7c3b07671c004f40fd027ff68f8397302578b930-1547537376218-86b20611d8784160e07189da
username: demo
password: demo

此处,未编译的CSS的链接为:

<link rel="stylesheet" media="screen" href="@routes.Assets.versioned("stylesheets/main.css")">

此资源上的标头是:

Request URL: http://localhost:9000/assets/stylesheets/main.css
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:9000
Referrer Policy: strict-origin-when-cross-origin
Accept-Ranges: bytes
Cache-Control: no-cache
Content-Length: 2289
Content-Type: text/css; charset=UTF-8
Date: Tue, 15 Jan 2019 07:35:35 GMT
ETag: "3273181a6d1b750359ac9091ef845199eecbc59e"
Last-Modified: Tue, 15 Jan 2019 06:54:34 GMT
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Cookie: io=enFa_S7ur5LyuECLAAAC; PLAY_SESSION=eyJhbGciOiJIUzI1NiJ9...; auth_token=f376f49d-458b-48d8-a24d-574369452bb8; Idea-598843d6=026001dd-840c-4472-a6af-d744594b09c3; luxe-session=eyJhbGciOiJIUzI1NiJ9...
DNT: 1
Host: localhost:9000
Pragma: no-cache
Referer: http://localhost:9000/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2)

成功登录的标头为:

Request URL: http://localhost:9000/doLogin
Request Method: POST
Status Code: 303 See Other
Remote Address: [::1]:9000
Referrer Policy: strict-origin-when-cross-origin
Content-Length: 0
Date: Tue, 15 Jan 2019 07:33:51 GMT
Location: /dashboard
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Set-Cookie: luxe-session=eyJhbGciOiJIUzI1NiJ9....; SameSite=Lax; Path=/; HTTPOnly
Set-Cookie: PLAY_FLASH=eyJhbGciOiJIUzI1NiJ9....; SameSite=Lax; Path=/; HTTPOnly
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: master-only
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-AU,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 117
Content-Type: application/x-www-form-urlencoded
Cookie: io=enFa_S7ur5LyuECLAAAC; PLAY_SESSION=eyJhbGciOiJIUzI1NiJ9...; auth_token=f376f49d-458b-48d8-a24d-574369452bb8; Idea-598843d6=026001dd-840c-4472-a6af-d744594b09c3; luxe-session=eyJhbGciOiJIUzI1NiJ9...
DNT: 1
Host: localhost:9000
Origin: http://localhost:9000
Pragma: no-cache
Referer: http://localhost:9000/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
csrfToken: 9bcce862a5a56a5071dff57f85338c496ec0d086-1547537627597-19c6b8e5fc99afb867e6db85
username: demo
password: demo

0 个答案:

没有答案
相关问题
最新问题