protect_from_forgery 在 Rails 6？

Question

我的应用程序控制器中没有包含 protect_from_forgery 方法，默认的 Rails 6 应用程序，但主应用程序布局中有嵌入式 ruby <%= csrf_meta_tags %> .这是否意味着 protect_from_forgery 方法已被抽象并且不再明确需要在应用程序控制器中？

我已经购买了 Pragmatic Programmer 的 Rails 6 本书，但我唯一能找到的是 "the csrf_meta_tags() method sets up all the behind-the-scenes data needed to prevent cross-site request forgery attacks"。

Answer 1

对于 rails 5.2 及更高版本默认在 ActionController::Base 上启用。查看此提交： https://github.com/rails/rails/commit/ec4a836919c021c0a5cf9ebeebb4db5e02104a55

*   Protect from forgery by default

    Rather than protecting from forgery in the generated ApplicationController,
    add it to ActionController::Base depending on
    `config.action_controller.default_protect_from_forgery`. This configuration
    defaults to false to support older versions which have removed it from their
    ApplicationController, but is set to true for Rails 5.2.

在官方文档中：https://edgeguides.rubyonrails.org/configuring.html

config.action_controller.default_protect_from_forgery determines whether
forgery protection is added on ActionController:Base. This is false by default.