Question

我正在使用POST方法请求密钥，如下所示

var session_id; // to use for token based authentication

// prep
$(document).ready(function(){
  // sending a csrftoken with every ajax request
  function csrfSafeMethod(method) {
      // these HTTP methods do not require CSRF protection
      return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
  }
  if (!chrome.cookies) {
    chrome.cookies = chrome.experimental.cookies;
  }
  const csrf_from_cookies = {'url': 'https://dummy-site-xyz.com/', 'name': 'csrftoken'};
  chrome.cookies.get(csrf_from_cookies, function(res){
    csrftoken  = res.value;
    $.ajaxSetup({
      beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.url)) {
            xhr.setRequestHeader("X-CSRFToken", csrftoken);
        }
      }
    });
  });

  const sessionid = {'url': 'https://dummy-site-xyz.com/', 'name': 'sessionid'};
  chrome.cookies.get(sessionid, function(res) {
    session_id = res.value;
  });
});

// the request
$.ajax({
      type: "POST",
      crossDomain: true,
      url: 'https://dummy-site-xyz.com/profile/api/v1/awesome/key',
      data: {'sessionid': 'dummy_session_id'},
      success: function(data){
        // pass
      },
      error: function( jqXHR, textStatus, errorThrown ){
          console.log(jqXHR.responseJSON);
      }
    });

但是，detail: "CSRF Failed: Referer checking failed - no Referer."

失败了

如果发送请求，这样可以正常工作

到localhost
从本地html文件发送服务器
从终端发送服务器

但是从Chrome扩展程序失败了。

我的manifest.json

"permissions": [
    .
    .
    .
    "https://dummy-site-xyz.com/*",
    .
    .
  ],

Djanog CSRF仅对Chrome扩展的POST请求失败

0 个答案: