Class: Rack::Protection::HttpOrigin
- Defined in:
- lib/rack/protection/http_origin.rb
Overview
- Prevented attack
-
CSRF
- Supported browsers
-
Google Chrome 2, Safari 4 and later
- More infos
-
en.wikipedia.org/wiki/Cross-site_request_forgery tools.ietf.org/html/draft-abarth-origin
Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or whitelisted URIs.
Constant Summary collapse
- DEFAULT_PORTS =
{ 'http' => 80, 'https' => 443, 'coffee' => 80 }
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#bytesize, #call, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#accepts?(env) ⇒ Boolean
23 24 25 26 27 28 |
# File 'lib/rack/protection/http_origin.rb', line 23 def accepts?(env) return true if safe? env return true unless origin = env['HTTP_ORIGIN'] return true if base_url(env) == origin Array([:origin_whitelist]).include? origin end |
#base_url(env) ⇒ Object
17 18 19 20 21 |
# File 'lib/rack/protection/http_origin.rb', line 17 def base_url(env) request = Rack::Request.new(env) port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme] "#{request.scheme}://#{request.host}#{port}" end |