Class: Gitlab::HotlinkingDetector
- Inherits:
-
Object
- Object
- Gitlab::HotlinkingDetector
- Defined in:
- lib/gitlab/hotlinking_detector.rb
Constant Summary collapse
- IMAGE_FORMATS =
%w[image/jpeg image/apng image/png image/webp image/svg+xml image/*].freeze
- MEDIA_FORMATS =
%w[video/webm video/ogg video/* application/ogg audio/webm audio/ogg audio/wav audio/*].freeze
- CSS_FORMATS =
%w[text/css].freeze
- INVALID_FORMATS =
(IMAGE_FORMATS + MEDIA_FORMATS + CSS_FORMATS).freeze
- INVALID_FETCH_MODES =
%w[cors no-cors websocket].freeze
Class Method Summary collapse
Class Method Details
.intercept_hotlinking?(request) ⇒ Boolean
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# File 'lib/gitlab/hotlinking_detector.rb', line 12 def intercept_hotlinking?(request) request_accepts = parse_request_accepts(request) # Block attempts to embed as JS return true if sec_fetch_invalid?(request) # If no Accept header was set, skip the rest return false if request_accepts.empty? # Workaround for IE8 weirdness return false if IMAGE_FORMATS.include?(request_accepts.first) && request_accepts.include?("application/x-ms-application") # Block all other media requests if the first format is a media type return true if INVALID_FORMATS.include?(request_accepts.first) false rescue ActionDispatch::Http::MimeNegotiation::InvalidType, Mime::Type::InvalidMimeType # Malformed requests with invalid MIME types prevent the checks from # being executed correctly, so we should intercept those requests. true end |