Class: Rack::Protection::JsonCsrf
- Defined in:
- lib/rack/protection/json_csrf.rb
Overview
- Prevented attack
-
CSRF
- Supported browsers
-
all
- More infos
JSON GET APIs are vulnerable to being embedded as JavaScript while the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.
Constant Summary
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #initialize, #random_string, #react, #referrer, #safe?, #session, #session?, #warn
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env) ⇒ Object
16 17 18 19 20 21 22 |
# File 'lib/rack/protection/json_csrf.rb', line 16 def call(env) status, headers, body = app.call(env) if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/ result = react(env) if referrer(env) != Request.new(env).host end result or [status, headers, body] end |