Class: Rack::Protection::HttpOrigin
- Defined in:
- lib/rack/protection/http_origin.rb
Overview
- Prevented attack
-
CSRF
- Supported browsers
-
Google Chrome 2, Safari 4 and later
- More infos
-
en.wikipedia.org/wiki/Cross-site_request_forgery tools.ietf.org/html/draft-abarth-origin
Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or permitted URIs.
If you want to permit a specific domain, you can pass in as the ‘:permitted_origins` option:
use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]
The ‘:allow_if` option can also be set to a proc to use custom allow/deny logic.
Constant Summary collapse
- DEFAULT_PORTS =
{ 'http' => 80, 'https' => 443, 'coffee' => 80 }
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#call, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#accepts?(env) ⇒ Boolean
32 33 34 35 36 37 38 39 40 |
# File 'lib/rack/protection/http_origin.rb', line 32 def accepts?(env) return true if safe? env return true unless (origin = env['HTTP_ORIGIN']) return true if base_url(env) == origin return true if [:allow_if]&.call(env) permitted_origins = [:permitted_origins] Array(permitted_origins).include? origin end |
#base_url(env) ⇒ Object
26 27 28 29 30 |
# File 'lib/rack/protection/http_origin.rb', line 26 def base_url(env) request = Rack::Request.new(env) port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme] "#{request.scheme}://#{request.host}#{port}" end |