Class: Rack::Protection::JsonCsrf
- Defined in:
- lib/rack/protection/json_csrf.rb
Overview
- Prevented attack
-
CSRF
- Supported browsers
-
all
- More infos
JSON GET APIs are vulnerable to being embedded as JavaScript while the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.
Constant Summary
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #referrer, #report, #safe?, #session, #session?, #warn
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env) ⇒ Object
16 17 18 19 20 21 22 23 24 25 26 |
# File 'lib/rack/protection/json_csrf.rb', line 16 def call(env) request = Request.new(env) status, headers, body = app.call(env) if has_vector? request, headers warn env, "attack prevented by #{self.class}" react(env) or [status, headers, body] else [status, headers, body] end end |
#has_vector?(request, headers) ⇒ Boolean
28 29 30 31 32 |
# File 'lib/rack/protection/json_csrf.rb', line 28 def has_vector?(request, headers) return false if request.xhr? return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/ origin(request.env).nil? and referrer(request.env) != request.host end |