123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::HttpOrigin

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/http_origin.rb

Overview

Prevented attack

CSRF

Supported browsers

Google Chrome 4, Safari 3.1, Firefox 70, Edge 70 and later. See https://caniuse.com/mdn-http_headers_origin, for a complete list.

More infos

Rejects any unsafe request whose Origin HTTP header does match one of the origins given to :permitted_origins. Note that if the Origin is the same as the request host, the request is always allowed. Similarly, if there is not Origin header for an unsafe request, it is always denied.

Options

[:permitted_origins] A String or Array of Strings representing the additional allowed origins for an unsafe request. The values must be exact matches for the value provided in the Origin header. Generally speaking, this means that you should include the scheme, and include the port only if it is not the default port for the scheme (80 for http and 443 for https).

[:allow_if] A Proc to be used for custom logic, superceding the values in :permitted_origins. By default, this is nil, meaning that :permitted_origins control the behavior. Note that if the request's origin is the same as the Origin header, this Proc is not evaluated and the request is allowed. Further note that if there is no Origin header, this Proc is not evaluated and the request is denied.

[Rack::Protection::Base options] options supported by Rack::Protection::Base may affect this middleware.

Example: Including your local dev environment

use Rack::Protection, permitted_origins: ["http://localhost:3000", "http://127.0.0.1:3000"]

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options

Used by subclasses to declare default values for options they require.

.default_reaction

Used by subclasses to declare default reaction when a request is rejected.

.new

Instance Attribute Summary

Base - Inherited

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.

#deny

Deny the request.

#drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer,
#report

When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false).

#safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/http_origin.rb', line 52

def accepts?(env)
  return true if safe? env
  return true unless (origin = env['HTTP_ORIGIN'])
  return true if base_url(env) == origin
  return true if options[:allow_if]&.call(env)

  permitted_origins = options[:permitted_origins]
  Array(permitted_origins).include? origin
end

#base_url(env)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/http_origin.rb', line 46

def base_url(env)
  request = Rack::Request.new(env)
  port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
  "#{request.scheme}://#{request.host}#{port}"
end