该protect_from_forgery方法不包含在我的默认 Rails 6 应用程序控制器中,但<%= csrf_meta_tags %>主应用程序布局中有嵌入式 ruby。这是否意味着该protect_from_forgery方法已被抽象并且在应用程序控制器中不再显式需要?
我买了 Pragmatic Programmer's Rails 6 书,我唯一能找到的是“csrf_meta_tags() 方法设置了防止跨站点请求伪造攻击所需的所有幕后数据”。
问问题
6555 次
1 回答
24
对于 Rails 5.2 及更高版本,ActionController::Base 默认启用。查看此提交: https ://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55
* Protect from forgery by default
Rather than protecting from forgery in the generated ApplicationController,
add it to ActionController::Base depending on
`config.action_controller.default_protect_from_forgery`. This configuration
defaults to false to support older versions which have removed it from their
ApplicationController, but is set to true for Rails 5.2.
在官方文档中:https ://edgeguides.rubyonrails.org/configuring.html
config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.
于 2019-04-26T07:54:24.540 回答