Sha256: e7b1f90f8956e3d8f4eb130f9489fb61327c43551a08540e639e9ed0ced8d59e
Contents?: true
Size: 1.82 KB
Versions: 70
Compression:
Stored size: 1.82 KB
Contents
require File.expand_path('../spec_helper.rb', __FILE__)
describe Rack::Protection::JsonCsrf do
it_behaves_like "any rack application"
describe 'json response' do
before do
mock_app { |e| [200, {'Content-Type' => 'application/json'}, []]}
end
it "denies get requests with json responses with a remote referrer" do
get('/', {}, 'HTTP_REFERER' => 'http://evil.com').should_not be_ok
end
it "accepts requests with json responses with a remote referrer when there's an origin header set" do
get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_ORIGIN' => 'http://good.com').should be_ok
end
it "accepts requests with json responses with a remote referrer when there's an x-origin header set" do
get('/', {}, 'HTTP_REFERER' => 'http://good.com', 'HTTP_X_ORIGIN' => 'http://good.com').should be_ok
end
it "accepts get requests with json responses with a local referrer" do
get('/', {}, 'HTTP_REFERER' => '/').should be_ok
end
it "accepts get requests with json responses with no referrer" do
get('/', {}).should be_ok
end
it "accepts XHR requests" do
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
end
end
describe 'not json response' do
it "accepts get requests with 304 headers" do
mock_app { |e| [304, {}, []]}
get('/', {}).status.should == 304
end
end
describe 'with drop_session as default reaction' do
it 'still denies' do
mock_app do
use Rack::Protection, :reaction => :drop_session
run proc { |e| [200, {'Content-Type' => 'application/json'}, []]}
end
session = {:foo => :bar}
get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'rack.session' => session)
last_response.should_not be_ok
end
end
end
Version data entries
70 entries across 67 versions & 19 rubygems