更新时间:2022-05-26 21:15:01
Razor Pages 自动生成并验证 Antiforgery 令牌以防止 CSRF 攻击.由于您没有在 AJAX 回调中发送任何令牌,因此请求失败.
Razor Pages automatically generates and validates Antiforgery tokens to prevent CSRF attacks. Since you aren't sending any token within your AJAX callback, the request fails.
要解决此问题,您必须:
To solve this problem you will have to:
或直接使用 @Html.AntiForgeryToken
HtmlHelper<form>
or by directly using the @Html.AntiForgeryToken
HtmlHelperStartup.cs
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddAntiforgery(o => o.HeaderName = "XSRF-TOKEN");
}
在 AJAX 回调中,我们添加了额外的代码来发送带有请求标头的 XSRF-TOKEN
.
$.ajax({
type: "POST",
url: '/?handler=YOUR_CUSTOM_HANDLER', // Replace YOUR_CUSTOM_HANDLER with your handler.
contentType: "application/json; charset=utf-8",
beforeSend: function (xhr) {
xhr.setRequestHeader("XSRF-TOKEN",
$('input:hidden[name="__RequestVerificationToken"]').val());
},
dataType: "json"
}).done(function (data) {
console.log(data.result);
})
你可以通过添加一个来实现:
<form method="post">
<input type="button" value="Ajax test" class="btn btn-default" onclick="ajaxTest();" />
</form>
或使用@Html.AntiForgeryToken
:
@Html.AntiForgeryToken()
<input type="button" value="Ajax test" class="btn btn-default" onclick="ajaxTest();" />
在这两种情况下,Razor Pages 都会在页面加载后自动添加一个包含防伪标记的隐藏输入字段:
In both cases Razor Pages will automatically add a hidden input field which contains the antiforgery token once the page is loaded:
<input name="__RequestVerificationToken" type="hidden" value="THE_TOKEN_VALUE" />