Sha256: b5fb763596d5e7579e6e453b5a977841c7ed65579d1f819aa7929267ad8acd4a

Contents?: true

Size: 1.43 KB

Versions: 18

Compression:

Stored size: 1.43 KB

Contents

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   CSRF
    # Supported browsers:: Google Chrome 2, Safari 4 and later
    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
    #                      http://tools.ietf.org/html/draft-abarth-origin
    #
    # Does not accept unsafe HTTP requests when value of Origin HTTP request header
    # does not match default or whitelisted URIs.
    #
    # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
    #
    #     use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
    #
    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
    class HttpOrigin < Base
      DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
      default_reaction :deny
      default_options :allow_if => nil

      def base_url(env)
        request = Rack::Request.new(env)
        port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
        "#{request.scheme}://#{request.host}#{port}"
      end

      def accepts?(env)
        return true if safe? env
        return true unless origin = env['HTTP_ORIGIN']
        return true if base_url(env) == origin
        return true if options[:allow_if] && options[:allow_if].call(env)
        Array(options[:origin_whitelist]).include? origin
      end

    end
  end
end

Version data entries

18 entries across 18 versions & 2 rubygems

Version Path
rack-protection-2.0.8.1 lib/rack/protection/http_origin.rb
rack-protection-2.0.8 lib/rack/protection/http_origin.rb
rack-protection-2.0.7 lib/rack/protection/http_origin.rb
rack-protection-2.0.6 lib/rack/protection/http_origin.rb
rack-protection-2.0.5 lib/rack/protection/http_origin.rb
rack-protection-2.0.4 lib/rack/protection/http_origin.rb
rack-protection-2.0.3 lib/rack/protection/http_origin.rb
rack-protection-2.0.2 lib/rack/protection/http_origin.rb
rack-protection-2.0.1 lib/rack/protection/http_origin.rb
rack-protection-2.0.1.rc1 lib/rack/protection/http_origin.rb
rack-protection-2.0.0 lib/rack/protection/http_origin.rb
rack-protection-2.0.0.rc6 lib/rack/protection/http_origin.rb
rack-protection-2.0.0.rc5 lib/rack/protection/http_origin.rb
enju_leaf-1.2.1 vendor/bundle/ruby/2.3/gems/rack-protection-2.0.0.rc2/lib/rack/protection/http_origin.rb
rack-protection-2.0.0.rc2 lib/rack/protection/http_origin.rb
rack-protection-2.0.0.rc1 lib/rack/protection/http_origin.rb
rack-protection-2.0.0.beta2 lib/rack/protection/http_origin.rb
rack-protection-2.0.0.beta1 lib/rack/protection/http_origin.rb