ruby-on-rails - Rails 4 ActionController::InvalidAuthenticityToken 与多个子域

Question

在让我说我在 Stackoverflow 上搜索谷歌和很多帖子之前，但没有任何东西能够为我的问题提供解决方案。为此，我正在创建一个新帖子。

我正在创建一个具有两个子域的应用程序:account.psantos.dev 和 app.psantos.dev。

在:config/initializers/session_store.rb我有:

Rails.application.config.session_store :cookie_store, key: '_psantos.co.ao_session', domain: 'psantos.dev'

我有以下结构文件夹:

- app
-- controllers
--- app1
---- welcome_controller.rb
--- account
---- welcome_controller.rb
--views
--- layout
---- app1.html.erb
---- account.html.erb
--- app1
---- welcome
----- index.html.erb
--- account
---- welcome
----- index.html.erb

在:app/views/layout/app1.html.erb ( http://app1.psantos.dev )我有以下几行:

<li><%= "Logout", account_sign_out_url, method: :delete %></li>

当我单击此链接(将转到: http://account.psantos.dev )时，出现以下错误:ActionController::InvalidAuthenticityToken at /sign_out ActionController::InvalidAuthenticityToken
在两个布局文件(app1.html.erb 和 account.html.erb)上，我在 <\head > 标签之前有这一行:

<%= csrf_meta_tags %>

我怎么解决这个问题？

更新:相关日志

Started GET "/" for 127.0.0.1 at 2015-08-08 12:37:03 +0100 Processing
by APP1::WelcomeController#index as HTML   Parameters:
{"subdomain"=>"app1"}   Rendered app1/welcome/index.html.erb within
layouts/app1 (0.4ms)   [1m[35mEntity Load (0.3ms)[0m  SELECT 
"entities".* FROM "entities" WHERE "entities"."user_token" = $1 LIMIT
1  [["user_token", "xxxxxxxxxxxxxxxxxxxx"]] Completed 200 OK in 43ms
(Views: 42.0ms | ActiveRecord: 0.3ms)


Started DELETE "/sign_out" for 127.0.0.1 at 2015-08-08 12:37:05 +0100
Processing by Account::SessionsController#destroy as HTML  
Parameters: {"subdomain"=>"account"} Can't verify CSRF token
authenticity Completed 422 Unprocessable Entity in 1ms (ActiveRecord:
0.0ms)

ActionController::InvalidAuthenticityToken -
ActionController::InvalidAuthenticityToken:   actionpack (4.2.3)
lib/action_controller/metal/request_forgery_protection.rb:181:in
`handle_unverified_request'   actionpack (4.2.3)
lib/action_controller/metal/request_forgery_protection.rb:209:in
`handle_unverified_request'   actionpack (4.2.3)
lib/action_controller/metal/request_forgery_protection.rb:204:in
`verify_authenticity_token'   activesupport (4.2.3)
lib/active_support/callbacks.rb:430:in `block in make_lambda'  
activesupport (4.2.3) lib/active_support/callbacks.rb:143:in `block in
halting_and_conditional'   activesupport (4.2.3)
lib/active_support/callbacks.rb:502:in `block in call'   activesupport
(4.2.3) lib/active_support/callbacks.rb:502:in `call'

Answer 1

现在不可能执行 :delete 对子域的请求。

There is an vulnerability in jquery-ujs and jquery-rails that can be used to bypass CSP protections and allows attackers to send CSRF tokens to attacker domains. This vulnerability has been assigned the CVE identifier CVE-2015-1840. Versions Affected: All. Not affected: Applications which don't use jquery-ujs or jquery-rails. Fixed Versions: jquery-rails versions 4.0.4 and 3.1.3 and jquery-ujs 1.0.4. Impact ------ In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain.

这是 commit到 jquery-ujs:


您可以阅读更多 here