我在所有静态页面中都有登录表单。我在我的项目中启用了csrf中间件。现在,当用户从http静态页面提交表单时,我收到错误
csrf verification failed
是否有办法确保跨站点验证,即使从非简洁页面发布到安全页面也是如此?
我既不想添加scrf豁免装饰器,也不想将页面更改为https。
这是我的模板:
<form action='{{login_url}}' method = 'post'>
{% csrf_token %}
<div class="searchbox login">
<input autocomplete="off" id="id_fakeusername" type="text" name="fakeusername" maxlength="100" value='Email' style="color: #727272" onfocus="$('#id_fakeusername').hide();$('#id_username').show();
$('#id_username').focus();" />
<input autocomplete="off" type='text' id="id_username" type="text" name="username" maxlength="100" style="display: none" value='' onblur="if ($('#id_username').attr('value') == '') {$('#id_username').hide();$('#id_fakeusername').show();}" />
</div>
<div class="searchbox login">
<input autocomplete="off" id="id_fakepassword" type="text" name="fakepassword" maxlength="50" style="color: #727272" value='Password' onfocus="$('#id_fakepassword').hide(); $('#id_password').show(); $('#id_password').focus();" />
<input autocomplete="off" type='password' id="id_password" name="password" type="text" style="display: none" value='' onblur="if ($('#id_password').attr('value') == '') {$('#id_password').hide();$('#id_fakepassword').show();}" />
</div>
{% block nativewin %}
<div class="loginbut"><input type="submit" border="0" title="Login" value="Login" /></div>
{% endblock nativewin %}
</form>
答案 0 :(得分:3)
来自CsrfViewMiddleware代码[1]:
# Suppose user visits http://example.com/
# An active network attacker (man-in-the-middle, MITM) sends a
# POST form that targets https://example.com/detonate-bomb/ and
# submits it via JavaScript.
#
# The attacker will need to provide a CSRF cookie and token, but
# that's no problem for a MITM and the session-independent
# nonce we're using. So the MITM can circumvent the CSRF
# protection. This is true for any HTTP connection, but anyone
# using HTTPS expects better! For this reason, for
# https://example.com/ we need additional protection that treats
# http://example.com/ as completely untrusted. Under HTTPS,
# Barth et al. found that the Referer header is missing for
# same-domain requests in only about 0.2% of cases or less, so
# we can use strict Referer checking.
所以我认为你的问题的答案是'不',使用内置保护!
[1] https://github.com/django/django/blob/master/django/middleware/csrf.py#L118
答案 1 :(得分:0)
您是否在template中添加了{{ csrf_token }}?
<form action="/contact/" method="post">{% csrf_token %}
{{ form.as_p }}
<input type="submit" value="Submit" />
</form>
您是否在render_to_response中添加了RequestContext?
from django.template import RequestContext
from django.shortcuts import render_to_response
return render_to_response('contact.html', {'form': form},
context_instance=RequestContext(request))
如果仍然无效,请按照docs。
中所述的步骤操作