Sha256: 020c2edf3ae0a9fe7275562aeb5123c48763c250334cf4a505b88e582ea5a1dc
Contents?: true
Size: 951 Bytes
Versions: 1
Compression:
Stored size: 951 Bytes
Contents
require 'rack/protection'
module Rack
module Protection
##
# Prevented attack:: CSRF
# Supported browsers:: Google Chrome 2, Safari 4 and later
# More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
# http://tools.ietf.org/html/draft-abarth-origin
#
# Does not accept unsafe HTTP requests when value of Origin HTTP request header
# does not match default or whitelisted URIs.
class HttpOrigin < Base
default_reaction :deny
def accepts?(env)
# only for unsafe request methods
safe?(env) and return true
# ignore if origin is not set
origin = env['HTTP_ORIGIN'] or return true
# check base url
Request.new(env).base_url == origin and return true
# check whitelist
options[:origin_whitelist] or return false
options[:origin_whitelist].include?(origin)
end
end
end
end
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| rack-protection-1.3.1 | lib/rack/protection/http_origin.rb |