ruby-on-rails - Googlebot 在 Rails 4.1 上导致无效的跨域请求 (COR)

标签 ruby-on-rails ruby-on-rails-4 cors csrf ruby-on-rails-4.1

如何防止 Google 在抓取网站时导致此错误?我对关闭“protect_from_forgery”不感兴趣,除非这样做是安全的。

[fyi] method=GET path=/users format=*/* controller=users action=show status=200 duration=690.32 view=428.25 db=253.06 time=  host= user= user_agent=Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) session= params={""} ()
[hmm] Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding. (pid:)
[fyi] method=GET path=/users/123/flag format=*/* controller=users action=flag status=500 error='ActionController::InvalidCrossOriginRequest:Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.' duration=26.50 time= host= user= user_agent= session= params= (pid)
[omg] ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.):
actionpack (4.1.4) lib/action_controller/metal/request_forgery_protection.rb:217:in `verify_same_origin_request'

Controller 响应于此
respond_to do |format|
    format.js { render template: 'users/flag', layout: "some_layout" }
end

我无法重新创建该错误,并且当我通过浏览器执行此操作时似乎可以正常工作

到目前为止,我已经查看了以下资源,但大多数似乎建议只是盲目地转向 CSRF 或没有得到答复。
  • Using layout specific javascript in comfy leads to InvalidCrossOriginRequest
  • Invalid Cross Origin Request After Upgrading to Rails 4.1
  • How to avoid ActionController::InvalidCrossOriginRequest exception?
  • Googlebot asks for png and then my whole Heroku site crashes. What is going on?
  • https://github.com/rails/rails/pull/13345
  • http://myownpirateradio.com/tag/rails-authentication-token/
  • https://gist.github.com/aishek/8535082
  • Why does Google prepend while(1); to their JSON responses?
  • http://www.tsheffler.com/blog/?p=428
  • http://edgeapi.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html


    • 澄清:
    该操作应受到 CSRF 的保护,但我想防止 Google 对其进行抓取或在抓取页面时产生错误。即。)我希望误报安全警告消失,而不会真正影响我的安全功能。

    最佳答案

    Googlebot 使用“*/*”( http://apidock.com/rails/Mime )格式,应用程序呈现 js,因为它是唯一可用的内容。由于它是远程的,它正确地导致无效的 COR。

    这可以使用以下方法重现:

    curl -H "Accept: */*" https://www.example.com/users/123/flag

    解决方法是让蜘蛛爬行的 html 回退资源:
    respond_to do |format|
  format.html { render template: 'users/flag' }
  format.js { render template: 'users/flag', layout: "some_layout" }
end

    关于ruby-on-rails - Googlebot 在 Rails 4.1 上导致无效的跨域请求 (COR),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24707336/

    上一篇:javascript - 将 optgroup 与 knockout.js 一起使用

    下一篇:compiler-construction - 编译和解释有什么区别?

    相关文章:

    ruby-on-rails - 运行单个 cucumber 功能不会加载步骤定义

    ruby-on-rails - 清除 Rails 服务器中的终端

    ruby-on-rails - 显示错误时访问模型的属性翻译

    ruby-on-rails - Rails - 是否可以使用参数重定向到自定义路径?

    javascript - 如何使模块兼容 CORS?

    ruby-on-rails - ruby on rails、meta_search 和不区分大小写的 oracle

    ruby-on-rails - 未创建 Rolify 表

    javascript - masonry 图像不垂直堆叠

    ajax - Chrome中的跨域问题可能是奇怪的Dart HttpRequest行为的b/c

    angularjs - AngularJS 中跨域 HTTP 请求失败

    ©2024 IT工具网  联系我们