1

我开发了一个 CORS REST 服务器和一些页面,其中包含一些调用其 url 的 JS 代码。

我决定重构 JS 页面,我对服务器的 DELETE ajax 请求现在不再起作用了。部分重构涉及从http://localhost/devto传递的 URL http://dev.local。我在允许的请求来源中添加了新的 url,实际上我的GET路由仍然可以正常工作。

DELETE相反,现在不允许(预检时为 403),我不明白我的错误在哪里。

从开发人员的角度来看,这里是OPTIONSDELETE转储:

Request URL:http://localhost:9292/users/101
Request Method:OPTIONS
Status Code:200 OK
Request Headers
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:origin, accept
Access-Control-Request-Method:DELETE
Cache-Control:no-cache
Connection:keep-alive
Host:localhost:9292
Origin:http://dev.local
Pragma:no-cache
Referer:http://dev.local/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin, accept
Access-Control-Allow-Methods:PUT, OPTIONS, DELETE, GET, POST
Access-Control-Allow-Origin:http://dev.local
Access-Control-Expose-Headers:Content-Type
Access-Control-Max-Age:1728000
Connection:close
Content-Type:text/plain
Server:thin 1.3.1 codename Triple Espresso

以包含“禁止”的有效负载响应。这里的要求DELETE

Request URL:http://localhost:9292/users/101
Request Method:DELETE
Status Code:403 Forbidden
Request Headers
DELETE /users/101 HTTP/1.1
Host: localhost:9292
Connection: keep-alive
Cache-Control: no-cache
Origin: http://dev.local
Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://dev.local/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fbsr_348362375211512=r2WOBYNXrmyP6lKJ7JVAnlU9gfLjela8jRSarGHvQ-M.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUURSRDhOckJ2YnI0MlFLTk5vblhiOGNVcjVXTFpHTDNMcVBjYl9PXzFqd3hKS0tlWFZ1cFVVMi03OXNxOU1BcjFGV2RxTzVtV0RSTllXbkxKcndUQmtZOFpMS3VmeWt0b05xU3ctVzdqNk4zVHBFQVZOM3ZlRzFKeW5lRWpiRkxSdXlPNHpGMDNVd255RFZqZ0xOdHQwMTJCUWVvb0NSR1ZSTVUtQkVhS1ZtaGtKZGdKck5RSDUwWHhQVW5wT1MyY0EiLCJpc3N1ZWRfYXQiOjEzNDY0MjUyMzgsInVzZXJfaWQiOiIxMDI5MDk2MTIzIn0; oauth2-token=; rack.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRiJFNTc3ZTMxZGZjNWUxYWNhZDU3NWUw%0ANjJkMDBkMDRiNmMxOWI0ODE5Yjk5YjMwMWI3YTMyOTM1ZjVmZWMyMGY1ZEki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItZGY1ZDgz%0AMzMyYTg4ZjBkNGY1ZGU0MGNjNzljMDhkNTUzZDJkMjkxNUkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0N0kiB2lkBjsA%0ARmlqSSIObG9nZ2VkX2luBjsARlQ%3D%0A--c1a452275c10bd0ebe0e21fe7925d1fe7349c46f
Response Headers
HTTP/1.1 403 Forbidden
X-Frame-Options: sameorigin
Content-Type: text/plain
Set-Cookie: rack.session=BAh7CkkiD3Nlc3Npb25faWQGOgZFRiJFNTc3ZTMxZGZjNWUxYWNhZDU3NWUw%0ANjJkMDBkMDRiNmMxOWI0ODE5Yjk5YjMwMWI3YTMyOTM1ZjVmZWMyMGY1ZEki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItZGY1ZDgz%0AMzMyYTg4ZjBkNGY1ZGU0MGNjNzljMDhkNTUzZDJkMjkxNUkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0N0kiB2lkBjsA%0ARmlqSSIObG9nZ2VkX2luBjsARlRJIgljc3JmBjsARiJFNWRjMjdjZThkNTM0%0ANWFhMTU3OGQ2ZDk3NGJjYjZjZGMzMzEwOTFiNTg5OTk1YTMyYTYxOTMzMTgy%0AMTU0N2E2ZA%3D%3D%0A--578809491df1629d183c98a530ccbcf925000b6e; path=/; HttpOnly
Access-Control-Allow-Origin: http://dev.local
Access-Control-Allow-Methods: PUT, OPTIONS, DELETE, GET, POST
Access-Control-Expose-Headers: Content-Type
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
Vary: Origin
Connection: close
Server: thin 1.3.1 codename Triple Espresso

有什么想法或建议来确定问题吗?

谢谢,达里奥。

4

1 回答 1

1

在搜索和 monsur 的建议后(他帮助我意识到客户端一切都是正确的),我将机架日志级别提升到调试级别,并且我发现了“Rack::Protection::RemoteToken 阻止的攻击”通知问题是rack-protectionSinatra 使用的错误配置。

默认情况下,由于引用者不同,我的应用程序在 CSRF 保护中遇到了问题;禁用:

set :protection, :except => [:remote_token, :frame_options]

有用。

于 2012-09-12T09:16:00.743 回答