当从非安全页面发布到安全页面时，django csrf失败

Question

我在所有静态页面中都有登录表单。我在我的项目中启用了csrf中间件。现在，当用户提交从http形式静态页面出现错误，

csrf verification failed 

有没有一种方法，以确保跨站点验证，非scure发布到安全的网页，即使？

我想既不添加scrf exempt装饰器也不将页面更改为https。

这是我的模板：

 <form action='{{login_url}}' method = 'post'> 
      {% csrf_token %} 

      <div class="searchbox login"> 
<input autocomplete="off" id="id_fakeusername" type="text" name="fakeusername" maxlength="100" value='Email' style="color: #727272" onfocus="$('#id_fakeusername').hide();$('#id_username').show();   

$('#id_username').focus();" /> 

<input autocomplete="off" type='text' id="id_username" type="text" name="username" maxlength="100" style="display: none" value='' onblur="if ($('#id_username').attr('value') == '') {$('#id_username').hide();$('#id_fakeusername').show();}" /> 
     </div> 
     <div class="searchbox login"> 
      <input autocomplete="off" id="id_fakepassword" type="text" name="fakepassword" maxlength="50" style="color: #727272" value='Password' onfocus="$('#id_fakepassword').hide(); $('#id_password').show(); $('#id_password').focus();" /> 

<input autocomplete="off" type='password' id="id_password" name="password" type="text" style="display: none" value='' onblur="if ($('#id_password').attr('value') == '') {$('#id_password').hide();$('#id_fakepassword').show();}" /> 
     </div> 
      {% block nativewin %} 
     <div class="loginbut"><input type="submit" border="0" title="Login" value="Login" /></div> 
    {% endblock nativewin %} 
    </form> 

Answer 1

从CsrfViewMiddleware码[1]：

  # Suppose user visits http://example.com/ 
      # An active network attacker (man-in-the-middle, MITM) sends a 
      # POST form that targets https://example.com/detonate-bomb/ and 
      # submits it via JavaScript. 
      # 
      # The attacker will need to provide a CSRF cookie and token, but 
      # that's no problem for a MITM and the session-independent 
      # nonce we're using. So the MITM can circumvent the CSRF 
      # protection. This is true for any HTTP connection, but anyone 
      # using HTTPS expects better! For this reason, for 
      # https://example.com/ we need additional protection that treats 
      # http://example.com/ as completely untrusted. Under HTTPS, 
      # Barth et al. found that the Referer header is missing for 
      # same-domain requests in only about 0.2% of cases or less, so 
      # we can use strict Referer checking. 

所以我想回答你的问题是“不”，使用内置的保护！

[1] https://github.com/django/django/blob/master/django/middleware/csrf.py#L118

Answer 2

你有没有包含在你的template的{{ csrf_token }}？

<form action="/contact/" method="post">{% csrf_token %} 
{{ form.as_p }} 
<input type="submit" value="Submit" /> 
</form> 

您是否在render_to_response中包含了RequestContext？

from django.template import RequestContext 
from django.shortcuts import render_to_response 

return render_to_response('contact.html', {'form': form}, 
        context_instance=RequestContext(request)) 

如果仍不起作用，请按照docs中所述的步骤操作。