How to protect against CSRF when using Backbone.js to post data?

前端 未结 4 1123
情话喂你
情话喂你 2021-02-04 14:43

Backbone.js handles posting data to server under the hood, so there is no easy way to insert a CSRF token in the payload. How can I protect my site against CSRF in this situatio

相关标签:
4条回答
  • 2021-02-04 14:45

    Here's an updated version, based in Django 1.7 (using the jQuery cookie plugin)

    oldSync = Backbone.sync
    Backbone.sync = (method, model, options) ->
    
        csrfSafeMethod = (method) ->
            # these HTTP methods do not require CSRF protection
            /^(GET|HEAD|OPTIONS|TRACE)$/.test method
    
        options.beforeSend = (xhr, settings) ->
            if !csrfSafeMethod(settings.type) and !@crossDomain
                xhr.setRequestHeader 'X-CSRFToken', $.cookie('csrftoken')
            return
        oldSync method, model, options
    
    0 讨论(0)
  • 2021-02-04 14:54

    You can use a prefilter to add the token to all requests:

    $.ajaxPrefilter(function(opts) {
        if (opts.data) {
            opts.data += "&";
        }
        opts.data += "csrfToken=" + token;
    });
    

    You may need to add additional logic if you don't always send the token.

    0 讨论(0)
  • 2021-02-04 14:55

    I know it's a bit old question, but I'll leave a link to the github repo of AMD module just for this:

    https://github.com/kuc2477/backbone.csrf.git (disclaimer: I'm the author of the module)

    0 讨论(0)
  • 2021-02-04 14:57

    Setting a global CSRF-token for all jQuery.ajax calls:

    $(function(){ 
      $.ajaxSetup({
        headers: {'X-CSRFToken': CSRF_TOKEN}
      });
    })
    

    Setting the token just for Backbone by overriding Backbone.sync:

    var oldSync = Backbone.sync;
    Backbone.sync = function(method, model, options){
      options.beforeSend = function(xhr){
        xhr.setRequestHeader('X-CSRFToken', CSRF_TOKEN);
      };
      return oldSync(method, model, options);
    };
    

    EDIT: Fixed a typo Kadam points at in comments

    0 讨论(0)
提交回复
热议问题