Sha256: 82e7229e46c10677a46dc81647e105b320ef75b8b7226a75036c9da5c3d41f6f
Contents?: true
Size: 893 Bytes
Versions: 2
Compression:
Stored size: 893 Bytes
Contents
require 'rack/protection' module Rack module Protection ## # Prevented attack:: CSRF # Supported browsers:: all # More infos:: http://flask.pocoo.org/docs/security/#json-security # # JSON GET APIs are vulnerable to being embedded as JavaScript while the # Array prototype has been patched to track data. Checks the referrer # even on GET requests if the content type is JSON. class JsonCsrf < Base default_reaction :deny def call(env) status, headers, body = app.call(env) if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/ if origin(env).nil? and referrer(env) != Request.new(env).host result = react(env) warn env, "attack prevented by #{self.class}" end end result or [status, headers, body] end end end end
Version data entries
2 entries across 2 versions & 1 rubygems
Version | Path |
---|---|
rack-protection-1.3.2 | lib/rack/protection/json_csrf.rb |
rack-protection-1.3.1 | lib/rack/protection/json_csrf.rb |