123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::HttpOrigin

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/http_origin.rb

Overview

Prevented attack:: CSRF Supported browsers:: Google Chrome 2, Safari 4 and later More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery http://tools.ietf.org/html/draft-abarth-origin

Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or permitted URIs.

If you want to permit a specific domain, you can pass in as the :permitted_origins option:

use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.01:3000"]

The :allow_if option can also be set to a proc to use custom allow/deny logic.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options, .default_reaction, .new

Instance Attribute Summary

Base - Inherited

#app, #options

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.
#deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

[ GitHub ] 

  


# File 'rack-protection/lib/rack/protection/http_origin.rb', line 32



def accepts?(env)
  return true if safe? env
  return true unless (origin = env['HTTP_ORIGIN'])
  return true if base_url(env) == origin
  return true if options[:allow_if]&.call(env)

  permitted_origins = options[:permitted_origins]
  Array(permitted_origins).include? origin
end


  








  

    #base_url(env)  
  

  [ GitHub ]


  

  


# File 'rack-protection/lib/rack/protection/http_origin.rb', line 26



def base_url(env)
  request = Rack::Request.new(env)
  port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
  "#{request.scheme}://#{request.host}#{port}"
end