CSRF_
笔记要点
内兜和外兜
Form请求和Ajax请求
代码如下:
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
<form action="/csrm/" method="POST">
{% csrf_token %}
<input name="v" type="text">
<input type="submit" value="提交">
</form>
<input value="提交2" type="button" οnclick="Aja();">
<script src="/static/jquery-1.12.4.js"></script>
<script src="/static/jquery.cookie.js"></script>
<script>
{# 获取cookie#}
var csrftoken= $.cookie("csrftoken");
function csrfSafeMethod(method){
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
$.ajaxSetup({
beforeSend:function(xhr,settings)
{
console.log("Good");
if(!csrfSafeMethod(settings.type) && !this.crossDomain)
{
xhr.setRequestHeader("X-CSRFToken",csrftoken);
}
}
});
function Aja(){
console.log("Good2");
var vals=$(":text").val();
$.ajax({
url:"/csrm/",
type:"POST",
data:{"name":vals,"k1":"v1"},
success:function(data)
{
console.log(data);
}
})
}
</script>
</body>
</html>
from django.views.decorators.csrf import csrf_exempt,csrf_protect 两个装饰器
第一个是同意CSRF不需要请求,另一个是需要请求