为什么我的控制器没有因为 skip_forgery_protection 未被使用而出现故障?

Why aren't more of my controllers failing due to skip_forgery_protection not being used?

我正在将 rails 应用程序从 5.2 升级到 6.1。以前我使用 5.1 默认值,现在我使用 6.1 默认值。

在rails 5.2 中,伪造保护成为默认设置。所以,当我一直升级到 6.1 时,一些事情开始出现问题。

我将 skip_forgery_protection 添加到我的 graphql 控制器,这修复了我所有失败的测试。访问其他控制器(绝对没有在前端实现伪造系统)的测试没有失败,我手动尝试的其他事情也没有失败。

我的一个理论是 forgery_protection 仅适用于 POST、PUT、PATCH 和 DELETE,但我发现网上对此的讨论或提及为零,而且似乎不是什么我正在观察(尽管我承认我还没有彻底测试该理论)。

一切都继承自同一个 ApplicationController

可能发生了什么?

我不确定我是否正确理解了你的问题。

但是,如果您问为什么 forgery_protection 仅适用于 POST、PUT、PATCH 和 DELETE,那么 doc says

Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.

wikipedia,

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

Because of this assumption, many existing CSRF prevention mechanisms in web frameworks will not cover GET requests, but rather apply the protection only to HTTP methods that are intended to be state-changing.