Question

每当我发布到我的api_controller.rb时，我都会在rails应用程序中收到CSRF警告（重置我的会话）。

我的应用程序在windows phone 8的phonegap中运行iframe，在我的application_controller中，我有一个p3p标头来解决这个问题。但在这种情况下它似乎不起作用。就像p3p不存在......？有没有人遇到过这个？

class ApplicationController < ActionController::Base

protect_from_forgery
before_filter :header_fix

protected
  def header_fix
    headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'
  end
end




class Api::ApiController < ApplicationController
before_filter :login_required

skip_before_filter :detect_device
skip_before_filter :detect_browser
skip_before_filter :record_log

skip_before_filter :assign_packages
skip_before_filter :assign_daily_bonus

end


[2646 - 2013/04/05 13:04:23] (INFO) Started POST "/api/chests" for 60.50.19.249 at 2013-04-05 13:04:23 +0800
[2646 - 2013/04/05 13:04:23] (INFO) Processing by Api::ChestsController#create as */*
[2646 - 2013/04/05 13:04:23] (INFO)   Parameters: {"force_new"=>"true"}
[2646 - 2013/04/05 13:04:23] (WARN) WARNING: Can't verify CSRF token authenticity
[2646 - 2013/04/05 13:04:23] (INFO) User agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
[2646 - 2013/04/05 13:04:23] (DEBUG)   User Load (4.5ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2646 - 2013/04/05 13:04:23] (DEBUG)   KeyPackage Load (1.2ms)  SELECT `packages`.* FROM `packages` WHERE `packages`.`type` IN ('KeyPackage') ORDER BY cost
[2646 - 2013/04/05 13:04:23] (DEBUG)   CACHE (0.0ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2646 - 2013/04/05 13:04:23] (DEBUG)   CACHE (0.0ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2646 - 2013/04/05 13:04:23] (WARN) Lost session [60.50.19.249] (/api/chests) - Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)

Answer 1

这个gem适用于Ruby on Rails（https://github.com/grosser/ie_iframe_cookies）。解决了这个问题。

即使我的p3p标头有效且我的用户可以登录，我也不确定为什么IE10会这样做。

子控制器的CSRF令牌真实性

1 个答案: