Class: Rack::Protection::HttpOrigin
| Relationships & Source Files | |
| Super Chains via Extension / Inclusion / Inheritance | |
|
Class Chain:
self,
Base
|
|
|
Instance Chain:
self,
Base
|
|
| Inherits: |
Rack::Protection::Base
|
| Defined in: | rack-protection/lib/rack/protection/http_origin.rb |
Overview
- Prevented attack
CSRF
- Supported browsers
Google Chrome 4, Safari 3.1, Firefox 70, Edge 70 and later. See https://caniuse.com/mdn-http_headers_origin, for a complete list.
- More infos
Rejects any unsafe request whose Origin HTTP header does match one of the origins given to :permitted_origins. Note that if the Origin is the same as the request host, the request is always allowed. Similarly, if there is not Origin header for an unsafe request, it is always denied.
Options
[:permitted_origins] A String or Array of Strings representing the additional allowed origins for an unsafe request. The values must be exact matches for the value provided in the Origin header. Generally speaking, this means that you should include the scheme, and include the port only if it is not the default port for the scheme (80 for http and 443 for https).
[:allow_if] A Proc to be used for custom logic, superceding the values in :permitted_origins. By default, this is nil, meaning that :permitted_origins control the behavior. Note that if the request's origin is the same as the Origin header, this Proc is not evaluated and the request is allowed. Further note that if there is no Origin header, this Proc is not evaluated and the request is denied.
[Rack::Protection::Base options] options supported by Rack::Protection::Base may affect this middleware.
Example: Including your local dev environment
use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.0.1:3000"]
Constant Summary
-
DEFAULT_PORTS =
# File 'rack-protection/lib/rack/protection/http_origin.rb', line 42{ 'http' => 80, 'https' => 443, 'coffee' => 80 }
Base - Inherited
Class Method Summary
Base - Inherited
| .default_options | Used by subclasses to declare default values for options they require. |
| .default_reaction | Used by subclasses to declare default reaction when a request is rejected. |
| .new | |
Instance Attribute Summary
Instance Method Summary
Base - Inherited
| #accepts?, #call, #debug, #default_options, | |
| #default_reaction | Alias for Base#deny. |
| #deny | Deny the request. |
| #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, | |
| #report | When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false). |
| #safe?, #secure_compare, #session, #session?, #warn | |
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#accepts?(env) ⇒ Boolean
# File 'rack-protection/lib/rack/protection/http_origin.rb', line 52
def accepts?(env) return true if safe? env return true unless (origin = env['HTTP_ORIGIN']) return true if base_url(env) == origin return true if [:allow_if]&.call(env) permitted_origins = [:permitted_origins] Array(permitted_origins).include? origin end
#base_url(env)
[ GitHub ]# File 'rack-protection/lib/rack/protection/http_origin.rb', line 46
def base_url(env) request = Rack::Request.new(env) port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme] "#{request.scheme}://#{request.host}#{port}" end