0
我最近在MVC/angularjs上实现了XSRF。该安全网站旨在通过两种方式进行加载,可以通过直接发布或在iframe中加载。XSRF Cookie未通过http站点加载到通过https加载的iframe请求标头
这里是下面的代码: - ANGULAR
.config(function ($httpProvider) {
$httpProvider.defaults.xsrfCookieName = '@model.Handlers.XsrfHandler.COOKIE_HEADER_NAME';
$httpProvider.defaults.xsrfHeaderName = '@model.Handlers.XsrfHandler.COOKIE_HEADER_NAME';
})
MVC - 过滤
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
var request = filterContext.HttpContext.Request;
var response = filterContext.HttpContext.Response;
//TODO : Check the current value of the cookie if it exists
if (request.HttpMethod != "GET")
{
base.OnResultExecuting(filterContext);
return;
}
//TODO : SHA hash the cookie or something.
var cookieValue = filterContext.HttpContext.Session.SessionID;
if (!request.Cookies.AllKeys.Contains(AntiForgeryConfig.CookieName))
{
var cookie = new HttpCookie(XsrfHandler.COOKIE_HEADER_NAME, cookieValue) { HttpOnly = false };
response.SetCookie(cookie);
}
else
{
response.Cookies[XsrfHandler.COOKIE_HEADER_NAME].Value = cookieValue;
}
base.OnResultExecuting(filterContext);
}
MVC-处理
protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
if (!xsrfMethods.Contains(request.Method.Method))
return await base.SendAsync(request, cancellationToken);
var cookie = request.Headers.GetCookies().SelectMany(chv => chv.Cookies).FirstOrDefault(cs => cs.Name == COOKIE_HEADER_NAME);
if (cookie == null)
return CreateError(request);
var headerValue = request.Headers.GetValues(COOKIE_HEADER_NAME).FirstOrDefault();
if (string.IsNullOrWhiteSpace(cookie.Value) || string.IsNullOrWhiteSpace(headerValue))
return CreateError(request);
if (headerValue.Trim().Equals(cookie.Value.Trim(), System.StringComparison.InvariantCulture))
return await base.SendAsync(request, cancellationToken);
return CreateError(request);
}
现在我们有一个客户是谁加载HTTPS在HTTP网站上的iframe(不知道为什么)。它仍然可以在Chrome浏览器中正常运行,但在IE中失败。似乎XSRF令牌没有连接到IE的POST请求头。
我的问题是,什么是标题问题的解决方法,而不必添加任何边缘案例逻辑。