情况一:如果使用的是基于函数的视图,将csrf_exempt装饰器添加到视图中:
from django.views.decorators.csrf import csrf_exempt from django.http import HttpResponse @csrf_exempt def my_view(request): return HttpResponse("I have opened my view up to cross site request forgery!")情况二:我只是使用表单登录(基于url),忘记了包含{%csrf_protect%}模板标记。这很可能会解决您的问题,而不会让您面临跨站点脚本攻击。
<div class="page-header" style="padding-top:80px;"> <div id="navbar" class="navbar-collapse collapse"> <form class="navbar-form" method="post" action="/sign_index_action/{{event.id}}/"> {%csrf_token%} <div class="form-group"> <input name="phone" type="text" placeholder="输入手机号" class="form-control"> </div>情况三:若在Vitor的ajax教程中使用基于Ajax的视图来检查用户名的可用性,有些复杂,需要使用文档中的getCookie函数,并将其传递给ajax请求,如下所示:
//returns cookie from browser- from Django docs link below function getCookie(name) { var cookieValue = null; if (document.cookie && document.cookie !== '') { var cookies = document.cookie.split('console.log(data);;'); for (var i = 0; i < cookies.length; i++) { var cookie = cookies[i].trim(); // Does this cookie string begin with the name we want? if (cookie.substring(0, name.length + 1) === (name + '=')) { cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); break; } } } return cookieValue; } //also from docs- function csrfSafeMethod(method) { // these HTTP methods do not require CSRF protection return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method)); } $.ajaxSetup({ beforeSend: function(xhr, settings) { if (!csrfSafeMethod(settings.type) && !this.crossDomain) { xhr.setRequestHeader("X-CSRFToken", csrftoken); } } }); var csrftoken = getCookie('csrftoken'); //set csrf token $.ajaxSetup({ beforeSend: function(xhr, settings) { if (!csrfSafeMethod(settings.type) && !this.crossDomain) { xhr.setRequestHeader("X-CSRFToken", csrftoken); } } }); //now your ajax logic as usual可以参考文章https://docs.djangoproject.com/zh-CN/3.0/ref/csrf/
