Sha256: e036bdefcc7f6d3e2b10b7d97534f309672b6c96e2d16f76873440f64d9e9704

Contents?: true

Size: 872 Bytes

Versions: 54

Compression:

Stored size: 872 Bytes

Contents

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   CSRF
    # Supported browsers:: all
    # More infos::         http://flask.pocoo.org/docs/security/#json-security
    #
    # JSON GET APIs are vulnerable to being embedded as JavaScript while the
    # Array prototype has been patched to track data. Checks the referrer
    # even on GET requests if the content type is JSON.
    class JsonCsrf < Base
      default_reaction :deny

      def call(env)
        status, headers, body = app.call(env)
        if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
          if referrer(env) != Request.new(env).host
            result = react(env)
            warn env, "attack prevented by #{self.class}"
          end
        end
        result or [status, headers, body]
      end
    end
  end
end

Version data entries

54 entries across 54 versions & 4 rubygems

Version Path
classiccms-0.7.5 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.7.4 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.7.3 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.7.2 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.7.1 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.7.0 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.9 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.8 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.7 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.6 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.5 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.4 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.3 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.2 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.1 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.6.0 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.5.17 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.5.16 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.5.15 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb
classiccms-0.5.14 vendor/bundle/gems/rack-protection-1.2.0/lib/rack/protection/json_csrf.rb