我使用AngularJS与Rails。我有以下请求批量更新用户。
$http{
method: 'POST',url: $scope.update_url,params: {selected_ids: userIds}
}
由于URL长度的限制,此请求不能是“GET”请求(http://support.microsoft.com/kb/208427)
但是对于’POST’请求,我们需要在头中有一个CSRF真实性令牌。
我们如何设置CSRF令牌到post请求头?
您可以按照
$http服务中所述设置http标头。
您可以在全局设置:
$httpProvider.defaults.headers.post['My-Header']='value' (or)
$http.defaults.headers.post['My-Header']='value';
或单个请求:
$http({
headers: {
'My-Header': 'value'
}
});
这是一个重要的报价从Angular:
Cross Site Request Forgery (XSRF) Protection XSRF is a technique by
which an unauthorized site can gain your user’s private data. Angular
provides following mechanism to counter XSRF. When performing XHR
requests,the $http service reads a token from a cookie called
XSRF-TOKEN and sets it as the HTTP header X-XSRF-TOKEN. Since only
JavaScript that runs on your domain could read the cookie,your server
can be assured that the XHR came from JavaScript running on your
domain.
To take advantage of this,your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header,and therefore be sure that only JavaScript running on your domain could have read the token. The token must be unique for each user and must be verifiable by the server (to prevent the JavaScript making up its own tokens). We recommend that the token is a digest of your site’s authentication cookie with salt for added security.
