Class: Rack::Protection::HttpOrigin

Inherits:
Base
  • Object
show all
Defined in:
lib/rack/protection/http_origin.rb

Overview

Prevented attack

CSRF

Supported browsers

Google Chrome 2, Safari 4 and later

More infos

en.wikipedia.org/wiki/Cross-site_request_forgery tools.ietf.org/html/draft-abarth-origin

Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or permitted URIs.

If you want to permit a specific domain, you can pass in as the ‘:permitted_origins` option:

use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]

The ‘:allow_if` option can also be set to a proc to use custom allow/deny logic.

Constant Summary collapse

DEFAULT_PORTS =
{ 'http' => 80, 'https' => 443, 'coffee' => 80 }

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary collapse

Methods inherited from Base

#call, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

Returns:

  • (Boolean)


32
33
34
35
36
37
38
39
40
# File 'lib/rack/protection/http_origin.rb', line 32

def accepts?(env)
  return true if safe? env
  return true unless (origin = env['HTTP_ORIGIN'])
  return true if base_url(env) == origin
  return true if options[:allow_if]&.call(env)

  permitted_origins = options[:permitted_origins]
  Array(permitted_origins).include? origin
end

#base_url(env) ⇒ Object



26
27
28
29
30
# File 'lib/rack/protection/http_origin.rb', line 26

def base_url(env)
  request = Rack::Request.new(env)
  port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
  "#{request.scheme}://#{request.host}#{port}"
end