Skip to content

Commit

Permalink
fix: 修复 django4.x 在 HTTPS 下出现的 CSRF 问题 (#1794)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jiayuan929
jiayuan929 authored Dec 10, 2024
1 parent 6025d0d commit 7bc1567
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions apiserver/paasng/paasng/settings/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -574,6 +574,14 @@ def _build_file_handler(log_path: Path, filename: str, format: str) -> Dict:
FORCE_SCRIPT_NAME = settings.get("FORCE_SCRIPT_NAME")
CSRF_COOKIE_DOMAIN = settings.get("CSRF_COOKIE_DOMAIN")
SESSION_COOKIE_DOMAIN = settings.get("SESSION_COOKIE_DOMAIN")
# Django 4.0 会参考 Origin Header,如果使用了 CSRF_COOKIE_NAME,就需要在 settings 中额外配置 CSRF_TRUSTED_ORIGINS
# 且必须配置协议和域名
# https://docs.djangoproject.com/en/dev/releases/4.0/#format-change
BK_COOKIE_DOMAIN = settings.get("BK_COOKIE_DOMAIN")
# 正式环境 CSRF_COOKIE_DOMAIN 并未设置,所以默认值直接用通配符
CSRF_TRUSTED_ORIGINS = settings.get(
"CSRF_TRUSTED_ORIGINS", [f"http://*{BK_COOKIE_DOMAIN}", f"https://*{BK_COOKIE_DOMAIN}"]
)

# 蓝鲸登录票据在 Cookie 中的名称,权限中心 API 未接入 APIGW,访问时需要提供登录态信息
BK_COOKIE_NAME = settings.get("BK_COOKIE_NAME", "bk_token")
Expand Down

0 comments on commit 7bc1567

Please sign in to comment.