CSRF Failed: Referer checking failed - no Referer

postman模拟登录出了这个错误,其实看标题就知道大概是怎么回事,网上大概找了办法,也没说到位,所以干脆自己找源码了.

问题很明显就是出在 CSRF 上,理所当然去查看 CsrfViewMiddleware 中间件:

 class CsrfViewMiddleware(object):

     def _accept(self, request):

         request.csrf_processing_done = True
         return None

     def _reject(self, request, reason):
         logger.warning('Forbidden (%s): %s', reason, request.path,
             extra={
                 'status_code': 403,
                 'request': request,
             }
         )
         return _get_failure_view()(request, reason=reason)

     def process_view(self, request, callback, callback_args, callback_kwargs):

         if getattr(request, 'csrf_processing_done', False):
             return None

         try:
             csrf_token = _sanitize_token(
                 request.COOKIES[settings.CSRF_COOKIE_NAME])
             request.META['CSRF_COOKIE'] = csrf_token
         except KeyError:
             csrf_token = None

             request.META["CSRF_COOKIE"] = _get_new_csrf_key()

             return None
 e that anything not defined as 'safe' by RFC2616 needs protection
         if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
             if getattr(request, '_dont_enforce_csrf_checks', False):
                 return self._accept(request)

             if request.is_secure():
                 referer = force_text(
                     request.META.get('HTTP_REFERER'),
                     strings_only=True,
                     errors='replace'
                 )
                 if referer is None:
                     return self._reject(request, REASON_NO_REFERER)　　　　　　# 问题就出在这里　　

                 good_referer = 'https://%s/' % request.get_host()
                 if not same_origin(referer, good_referer):
                     reason = REASON_BAD_REFERER % (referer, good_referer)
                     return self._reject(request, reason)

             if csrf_token is None:
                 return self._reject(request, REASON_NO_CSRF_COOKIE)
             request_csrf_token = ""
             if request.method == "POST":
                 try:
                     request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
                 except IOError:
                     pass

             if request_csrf_token == "":
                 request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')

             if not constant_time_compare(request_csrf_token, csrf_token):
                 return self._reject(request, REASON_BAD_TOKEN)

         return self._accept(request)

首先在文件里面搜索报错的信息字符串,找到这个:

REASON_NO_REFERER = "Referer checking failed - no Referer."

然后搜索 REASON_NO_REFERER 就会找到上面的那一段代码中出错的位置.(为什么写这些东西,因为我有个同学就是从来都不会找出错原因,方法有时候比结论更重要)

然后代码里面说的很清楚了, referer = request.META.get('HTTP_REFERER')

这就说明请求头里面没有 REFERER这个信息,都知道的,Django会把自定义的请求头大写并在前面添加 HTTP_ ,所以在postman的header里面添加这个 referer 字段就好了.

注意,referer的格式是 https://www.domain.com/.          后面有个点

然后就OK了

多说两句,看看人家django多贴心,如果是post请求的话,会尝试从两个地方获取csrftoken,请求体里面可以放,就算忘了放,还会从请求头里面拿(54行 - 64行)