django - 尝试在子域上提供 Django 应用程序时，CSRF token 失败

Question

我已分别在这些域上成功配置了两个 Django 应用程序:

http://omerselcuk.engineer

http://visions.omerselcuk.engineer

它们都可以很好地处理 GET 请求，但是第一个(主域)可以处理 POST 请求，而第二个(子域)则不能。我可以验证我是否正确包含了 {% csrf_token %}，因为我什至无法登录管理面板。 (管理面板可以访问，但无法登录。)

它们都可以公开访问，并且第二个 Django 应用程序的 DEBUG 已打开，您可以根据需要自行测试。

澄清一下，当我在主域上但在不同的端口上提供第二个服务时，它会按预期工作。

Answer 1

来自docs :

In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This means that even if a subdomain can set or modify cookies on your domain, it can’t force a user to post to your application since that request won’t come from your own exact domain.

This also addresses a man-in-the-middle attack that’s possible under HTTPS when using a session independent secret, due to the fact that HTTP Set-Cookie headers are (unfortunately) accepted by clients even when they are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header isn’t reliable enough under HTTP.)

If the CSRF_COOKIE_DOMAIN setting is set, the referer is compared against it. This setting supports subdomains. For example, CSRF_COOKIE_DOMAIN = '.example.com' will allow POST requests from www.example.com and api.example.com. If the setting is not set, then the referer must match the HTTP Host header.

Expanding the accepted referers beyond the current host or cookie domain can be done with the CSRF_TRUSTED_ORIGINS setting.

最后两段是重要的部分。您需要设置 CSRF_COOKIE_DOMAIN = '.omerselcuk.engineer' 或设置 CSRF_TRUSTED_ORIGINS .