0
我最近在MVC/angularjs上實現了XSRF。該安全網站旨在通過兩種方式進行加載,可以通過直接發佈或在iframe中加載。XSRF Cookie未通過http站點加載到通過https加載的iframe請求標頭
這裏是下面的代碼: - ANGULAR
.config(function ($httpProvider) {
$httpProvider.defaults.xsrfCookieName = '@model.Handlers.XsrfHandler.COOKIE_HEADER_NAME';
$httpProvider.defaults.xsrfHeaderName = '@model.Handlers.XsrfHandler.COOKIE_HEADER_NAME';
})
MVC - 過濾
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
var request = filterContext.HttpContext.Request;
var response = filterContext.HttpContext.Response;
//TODO : Check the current value of the cookie if it exists
if (request.HttpMethod != "GET")
{
base.OnResultExecuting(filterContext);
return;
}
//TODO : SHA hash the cookie or something.
var cookieValue = filterContext.HttpContext.Session.SessionID;
if (!request.Cookies.AllKeys.Contains(AntiForgeryConfig.CookieName))
{
var cookie = new HttpCookie(XsrfHandler.COOKIE_HEADER_NAME, cookieValue) { HttpOnly = false };
response.SetCookie(cookie);
}
else
{
response.Cookies[XsrfHandler.COOKIE_HEADER_NAME].Value = cookieValue;
}
base.OnResultExecuting(filterContext);
}
MVC-處理
protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
if (!xsrfMethods.Contains(request.Method.Method))
return await base.SendAsync(request, cancellationToken);
var cookie = request.Headers.GetCookies().SelectMany(chv => chv.Cookies).FirstOrDefault(cs => cs.Name == COOKIE_HEADER_NAME);
if (cookie == null)
return CreateError(request);
var headerValue = request.Headers.GetValues(COOKIE_HEADER_NAME).FirstOrDefault();
if (string.IsNullOrWhiteSpace(cookie.Value) || string.IsNullOrWhiteSpace(headerValue))
return CreateError(request);
if (headerValue.Trim().Equals(cookie.Value.Trim(), System.StringComparison.InvariantCulture))
return await base.SendAsync(request, cancellationToken);
return CreateError(request);
}
現在我們有一個客戶是誰加載HTTPS在HTTP網站上的iframe(不知道爲什麼)。它仍然可以在Chrome瀏覽器中正常運行,但在IE中失敗。似乎XSRF令牌沒有連接到IE的POST請求頭。
我的問題是,什麼是標題問題的解決方法,而不必添加任何邊緣案例邏輯。