У меня есть стандартное приложение Rails 5.2.2.
На одной из моих страниц есть iFrame. Когда я из iFrame перехожу по ссылке, которая открывает мой веб-сайт в новой вкладке, например:
<iframe src="/page.html" sandbox="allow-scripts allow-forms allow-top-navigation allow-popups">
<a href="http://0.0.0.0:3005/" target="_blank">Visit the frontpage</a>
</iframe>
Я попадаю на сайт в порядке, и мой журнал выглядит нормально:
Started GET "/" for 127.0.0.1 at 2019-11-11 13:10:09 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 408ms (Views: 405.0ms)
Но никакие внутренние ссылки на странице не работают. Когда я нажимаю на ссылку, эта трассировка стека печатается до того, как меня перенаправляют обратно на страницу, с которой я пришел:
Started OPTIONS "/somewhere" for 127.0.0.1 at 2019-11-11 13:10:11 +0100
ActionController::RoutingError (No route matches [OPTIONS] "/somewhere"):
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/debug_exceptions.rb:65:in `call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:135:in `call_app'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:30:in `block in call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `catch'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:38:in `call_app'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `block in call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `block in tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:28:in `tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `tagged'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/request_id.rb:27:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/method_override.rb:22:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/runtime.rb:22:in `call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/executor.rb:14:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/static.rb:127:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/sendfile.rb:111:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/engine.rb:524:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/configuration.rb:225:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:658:in `handle_request'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:472:in `process_client'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:332:in `block in run'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/thread_pool.rb:133:in `block in spawn_thread'
Started GET "/" for 127.0.0.1 at 2019-11-11 13:10:12 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 394ms (Views: 390.3ms)
Чтобы посмотреть, что произойдет, я добавляю в свой файл маршрутов:
match "/somewhere", to: "somewhere#somewhere", via: [:options]
Если я не защищаю эту страницу с помощью аутентификации, никакая трассировка стека не запускается, но я перенаправлен туда, откуда пришел:
Started OPTIONS "/somewhere" for 127.0.0.1 at 2019-11-11 13:41:18 +0100
Processing by SomewhereController#somewhere as */*
Completed 200 OK in 625ms (Views: 602.3ms)
Started GET "/" for 127.0.0.1 at 2019-11-11 13:41:19 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 413ms (Views: 409.8ms)
И если я добавлю аутентификацию Devise на страницу,показана эта трассировка стека:
Started OPTIONS "/somewhere" for 127.0.0.1 at 2019-11-11 13:33:31 +0100
Processing by SomewhereController#somewhere as */*
Completed 422 Unprocessable Entity in 1ms
ActionController::InvalidAuthenticityToken (The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
If you cannot change the referrer policy, you can disable origin checking with the
Rails.application.config.action_controller.forgery_protection_origin_check setting.
):
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/request_forgery_protection.rb:433:in `valid_request_origin?'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/request_forgery_protection.rb:291:in `verified_request?'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/request_forgery_protection.rb:230:in `verify_authenticity_token'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:426:in `block in make_lambda'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:179:in `block (2 levels) in halting_and_conditional'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:180:in `block in halting_and_conditional'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:513:in `block in invoke_before'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:513:in `each'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:513:in `invoke_before'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:131:in `run_callbacks'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/abstract_controller/callbacks.rb:41:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/rescue.rb:22:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/notifications.rb:168:in `block in instrument'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/notifications.rb:168:in `instrument'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/abstract_controller/base.rb:134:in `process'
.gems/ruby/2.4.0/gems/actionview-5.2.2/lib/action_view/rendering.rb:32:in `process'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal.rb:191:in `dispatch'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_controller/metal.rb:252:in `dispatch'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/routing/route_set.rb:34:in `serve'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/journey/router.rb:52:in `block in serve'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/journey/router.rb:35:in `each'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/journey/router.rb:35:in `serve'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/routing/route_set.rb:840:in `call'
.gems/ruby/2.4.0/gems/warden-1.2.8/lib/warden/manager.rb:36:in `block in call'
.gems/ruby/2.4.0/gems/warden-1.2.8/lib/warden/manager.rb:34:in `catch'
.gems/ruby/2.4.0/gems/warden-1.2.8/lib/warden/manager.rb:34:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/tempfile_reaper.rb:15:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/etag.rb:25:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/conditional_get.rb:38:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/head.rb:12:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/session/abstract/id.rb:232:in `context'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/session/abstract/id.rb:226:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/cookies.rb:670:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/callbacks.rb:98:in `run_callbacks'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/executor.rb:14:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:135:in `call_app'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:30:in `block in call'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `catch'
.gems/ruby/2.4.0/gems/web-console-3.7.0/lib/web_console/middleware.rb:20:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:38:in `call_app'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `block in call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `block in tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:28:in `tagged'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/tagged_logging.rb:71:in `tagged'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/rack/logger.rb:26:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/request_id.rb:27:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/method_override.rb:22:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/runtime.rb:22:in `call'
.gems/ruby/2.4.0/gems/activesupport-5.2.2/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/executor.rb:14:in `call'
.gems/ruby/2.4.0/gems/actionpack-5.2.2/lib/action_dispatch/middleware/static.rb:127:in `call'
.gems/ruby/2.4.0/gems/rack-2.0.6/lib/rack/sendfile.rb:111:in `call'
.gems/ruby/2.4.0/gems/railties-5.2.2/lib/rails/engine.rb:524:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/configuration.rb:225:in `call'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:658:in `handle_request'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:472:in `process_client'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/server.rb:332:in `block in run'
.gems/ruby/2.4.0/gems/puma-3.12.0/lib/puma/thread_pool.rb:133:in `block in spawn_thread'
Started GET "/" for 127.0.0.1 at 2019-11-11 13:33:31 +0100
Processing by StaticPagesController#index as HTML
Completed 200 OK in 681ms (Views: 677.9ms)
Следующий трюк, как предложено в трассировке стека, ничего не изменил:
Rails.application.configure do
config.action_controller.forgery_protection_origin_check = false
end
Я также пытался , как предложено здесь , установив action_dispatch.default_headers на различные значения, без всякой удачи:
config.action_dispatch.default_headers = {
'Referrer-Policy' => 'no-referrer'
}
Есть идеи, что происходит?