如果请求页面以“ null”为原点,则链接无效

时间:2019-11-11 13:37:29

标签: ruby-on-rails iframe cors ruby-on-rails-5

我有一个标准的Rails 5.2.2应用。

在我的其中一页上,我有一个iFrame。当我从iFrame中访问链接时,会在新标签页中打开我的网站,如下所示:

<iframe src="/page.html" sandbox="allow-scripts allow-forms allow-top-navigation allow-popups">
  <a href="http://0.0.0.0:3005/" target="_blank">Visit the frontpage</a>
</iframe>

我可以进入该站点,并且我的日志看起来不错:

Started GET "/" for 127.0.0.1 at 2019-11-11 13:10:09 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 408ms (Views: 405.0ms)

但该页面上的内部链接无效。当我单击链接时,将在我被重定向回我来自的页面之前打印此堆栈跟踪:

Started OPTIONS "/somewhere" for 127.0.0.1 at 2019-11-11 13:10:11 +0100

ActionController::RoutingError (No route matches [OPTIONS] "/somewhere"):

.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/debug_exceptions.rb:65:in `call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:135:in `call_app'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:30:in `block in call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `catch'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:38:in `call_app'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `block in call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `block in tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:28:in `tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `tagged'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/request_id.rb:27:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/method_override.rb:22:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/runtime.rb:22:in `call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/executor.rb:14:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/static.rb:127:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/sendfile.rb:111:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/engine.rb:524:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/configuration.rb:225:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:658:in `handle_request'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:472:in `process_client'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:332:in `block in run'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/thread_pool.rb:133:in `block in spawn_thread'
Started GET "/" for 127.0.0.1 at 2019-11-11 13:10:12 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 394ms (Views: 390.3ms)

只是看看会发生什么,我将其添加到路由文件中:

match "/somewhere", to: "somewhere#somewhere", via: [:options]

如果我不通过身份验证来保护该页面,则不会触发任何堆栈跟踪,但会将我重定向回我的来源:

Started OPTIONS "/somewhere" for 127.0.0.1 at 2019-11-11 13:41:18 +0100
Processing by SomewhereController#somewhere as */*
Completed 200 OK in 625ms (Views: 602.3ms)
Started GET "/" for 127.0.0.1 at 2019-11-11 13:41:19 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 413ms (Views: 409.8ms)

如果我在页面上添加Devise身份验证,则会显示以下堆栈跟踪:

Started OPTIONS "/somewhere" for 127.0.0.1 at 2019-11-11 13:33:31 +0100
Processing by SomewhereController#somewhere as */*
Completed 422 Unprocessable Entity in 1ms

ActionController::InvalidAuthenticityToken (The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
If you cannot change the referrer policy, you can disable origin checking with the
Rails.application.config.action_controller.forgery_protection_origin_check setting.
):

.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/request_forgery_protection.rb:433:in `valid_request_origin?'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/request_forgery_protection.rb:291:in `verified_request?'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/request_forgery_protection.rb:230:in `verify_authenticity_token'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:426:in `block in make_lambda'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:179:in `block (2 levels) in halting_and_conditional'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:180:in `block in halting_and_conditional'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:513:in `block in invoke_before'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:513:in `each'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:513:in `invoke_before'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:131:in `run_callbacks'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/abstract_controller/callbacks.rb:41:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/rescue.rb:22:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/notifications.rb:168:in `block in instrument'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/notifications.rb:168:in `instrument'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/abstract_controller/base.rb:134:in `process'
.gems/ruby/2.4.0/gems/actionview-5.2.2/lib/action_view/rendering.rb:32:in `process'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal.rb:191:in `dispatch'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal.rb:252:in `dispatch'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/routing/route_set.rb:34:in `serve'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/journey/router.rb:52:in `block in serve'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/journey/router.rb:35:in `each'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/journey/router.rb:35:in `serve'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/routing/route_set.rb:840:in `call'
.gems/ruby/2.4.0/gems/warden-1.2.8/lib/warden/manager.rb:36:in `block in call'
.gems/ruby/2.4.0/gems/warden-1.2.8/lib/warden/manager.rb:34:in `catch'
.gems/ruby/2.4.0/gems/warden-1.2.8/lib/warden/manager.rb:34:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/tempfile_reaper.rb:15:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/etag.rb:25:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/conditional_get.rb:38:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/head.rb:12:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/session/abstract/id.rb:232:in `context'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/session/abstract/id.rb:226:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/cookies.rb:670:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:98:in `run_callbacks'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/executor.rb:14:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:135:in `call_app'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:30:in `block in call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `catch'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:38:in `call_app'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `block in call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `block in tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:28:in `tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `tagged'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/request_id.rb:27:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/method_override.rb:22:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/runtime.rb:22:in `call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/executor.rb:14:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/static.rb:127:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/sendfile.rb:111:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/engine.rb:524:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/configuration.rb:225:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:658:in `handle_request'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:472:in `process_client'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:332:in `block in run'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/thread_pool.rb:133:in `block in spawn_thread'
Started GET "/" for 127.0.0.1 at 2019-11-11 13:33:31 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 681ms (Views: 677.9ms)

stacktrace中建议的以下技巧并未更改任何内容:

Rails.application.configure do
  config.action_controller.forgery_protection_origin_check = false
end

我还尝试as suggested here,将action_dispatch.default_headers设置为各种值,但没有任何运气:

config.action_dispatch.default_headers = {
  'Referrer-Policy' => 'no-referrer'
}

知道发生什么吗?

1 个答案:

答案 0 :(得分:2)

您可以在服务中为* or the host name with the post提及'Access-Control-Allow-Origin'以避免CORS问题并获得身份验证令牌:

# in config/application.rb
config.action_dispatch.default_headers = {
    'Access-Control-Allow-Origin' => 'http://my-web-service-consumer-site.com',
    'Access-Control-Request-Method' => %w{GET POST OPTIONS}.join(",")
  }

来源:

https://medium.com/@Nicholson85/handling-cors-issues-in-your-rails-api-120dfbcb8a24 https://demisx.github.io/rails-api/2014/02/18/configure-accept-headers-cors.html

相关问题
最新问题