javascript - 如何给被视作为静态资源的spa加上csrf保护？

ajax提交的

$.ajax({url:你的urltype：依什么方式dataType:数据类型data:headers:{'X-CSRF-TOKEN':$('meta[name="csrf-token"]').attr('content')?$('meta[name="csrf-token"]').attr('content'):''},beforeSend:function(msg){alert('等待回调');},})

将输出部分放在header头里

<?php//+----------------------------------------------------------------------//|CSRF安全验证类@pushaowei//+----------------------------------------------------------------------//|[Usage]//|//后端//|uselibrary\Base\NoCSRF;//|session_start();//|if($this->getRequest()->isPost()){//|//|try{//|##验证TOKEN//|NoCSRF::check('csrf_token',$_POST,true,60*10,false);//60*10为10分钟(null为不验证时间)//|$result='CSRFcheckpassed.Formparsed.';//|//$this->getRequest()->getPost('field');//|echo$result;//|}catch(Exception$e){//|echo$e->getMessage().'Formignored.';//|}//|}else{//|#生成TOKEN//|$token=NoCSRF::generate('csrf_token');//|$this->getView()->assign('token',$token);//|$this->getView()->display('页面');//|}//|//前端//|<metaname="csrf-token"content="<?phpecholibrary\Base\NoCSRF::generate('csrf_token');?>"/>//+----------------------------------------------------------------------classNoCSRF{protectedstatic$doOriginCheck=false;/***CheckCSRFtokensmatchbetweensessionand$origin.*Makesureyougeneratedatokenintheformbeforecheckingit.**@paramString$keyThesessionand$originkeywheretofindthetoken.*@paramMixed$originTheobject/associativearraytoretreivethetokendatafrom(usually$_POST).*@paramBoolean$throwException(Facultative)TRUEtothrowexceptiononcheckfail,FALSEordefaulttoreturnfalse.*@paramInteger$timespan(Facultative)Makesthetokenexpireafter$timespanseconds.(null=never)*@paramBoolean$multiple(Facultative)Makesthetokenreusableandnotone-time.(Usefulforajax-heavyrequests).**@returnBooleanReturnsFALSEifaCSRFattackisdetected,TRUEotherwise.*/publicstaticfunctioncheck($key,$origin,$throwException=false,$timespan=null,$multiple=false){$session=Session::getInstance();if(!$session->has('csrf_'.$key))if($throwException)thrownew\Exception('MissingCSRFsessiontoken.');elsereturnfalse;if(!isset($origin[$key]))if($throwException)thrownew\Exception('MissingCSRFformtoken.');elsereturnfalse;//Getvalidtokenfromsession$hash=$session->get('csrf_'.$key);//Freeupsessiontokenforone-timeCSRFtokenusage.if(!$multiple)$session->forget('csrf_'.$key);//Originchecksif(self::$doOriginCheck&&sha1($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])!=substr(base64_decode($hash),10,40)){if($throwException)thrownew\Exception('Formorigindoesnotmatchtokenorigin.');elsereturnfalse;}//Checkifsessiontokenmatchesformtokenif($origin[$key]!=$hash)if($throwException)thrownew\Exception('InvalidCSRFtoken.');elsereturnfalse;//Checkfortokenexpirationif($timespan!=null&&is_int($timespan)&&intval(substr(base64_decode($hash),0,10))+$timespan<time())if($throwException)thrownew\Exception('CSRFtokenhasexpired.');elsereturnfalse;returntrue;}/***Addsextrauseragentandremote_addrcheckstoCSRFprotections.*/publicstaticfunctionenableOriginCheck(){self::$doOriginCheck=true;}/***CSRFtokengenerationmethod.Aftergeneratingthetoken,putitinsideahiddenformfieldnamed$key.**@paramString$keyThesessionkeywherethetokenwillbestored.(Willalsobethenameofthehiddenfieldname)*@returnStringThegenerated,base64encodedtoken.*/publicstaticfunctiongenerate($key){$session=Session::getInstance();$extra=self::$doOriginCheck?sha1($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']):'';//tokengeneration(basicallybase64_encodeanyrandomcomplexstring,time()isusedfortokenexpiration)$token=base64_encode(time().$extra.self::randomString(32));//storetheone-timetokeninsession$session->put('csrf_'.$key,$token);return$token;}/***Generatesarandomstringofgiven$length.**@paramInteger$lengthThestringlength.*@returnStringTherandomlygeneratedstring.*/protectedstaticfunctionrandomString($length){$seed='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijqlmnopqrtsuvwxyz0123456789';$max=strlen($seed)-1;$string='';for($i=0;$i<$length;++$i)$string.=$seed{intval(mt_rand(0.0,$max))};return$string;}}?>