Class: Rack::Protection::JsonCsrf
| Relationships & Source Files | |
| Super Chains via Extension / Inclusion / Inheritance | |
|
Class Chain:
self,
Base
|
|
|
Instance Chain:
self,
Base
|
|
| Inherits: |
Rack::Protection::Base
|
| Defined in: | rack-protection/lib/rack/protection/json_csrf.rb |
Overview
Prevented attack:: CSRF Supported browsers:: all More infos:: http://flask.pocoo.org/docs/0.10/security/#json-security http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
JSON GET APIs are vulnerable to being embedded as JavaScript when the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.
If request includes Origin HTTP header, defers to HttpOrigin to determine
if the request is safe. Please refer to the documentation for more info.
The :allow_if option can be set to a proc to use custom allow/deny logic.
Constant Summary
Base - Inherited
Class Method Summary
Base - Inherited
Instance Attribute Summary
Instance Method Summary
- #call(env)
- #close_body(body)
- #has_vector?(request, headers) ⇒ Boolean
-
#react(env)
Alias for Base#deny.
- #react_and_close(env, body)
Base - Inherited
| #accepts?, #call, #default_options, | |
| #default_reaction | Alias for Base#deny. |
| #deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn | |
Constructor Details
This class inherits a constructor from Rack::Protection::Base
Instance Method Details
#call(env)
[ GitHub ]# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 26
def call(env) request = Request.new(env) status, headers, body = app.call(env) if has_vector?(request, headers) warn env, "attack prevented by #{self.class}" react_and_close(env, body) or [status, headers, body] else [status, headers, body] end end
#close_body(body)
[ GitHub ]# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 55
def close_body(body) body.close if body.respond_to?(:close) end
#has_vector?(request, headers) ⇒ Boolean
# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 39
def has_vector?(request, headers) return false if request.xhr? return false if [:allow_if]&.call(request.env) return false unless headers['content-type'].to_s.split(';', 2).first =~ %r{^\s*application/json\s*$} origin(request.env).nil? and referrer(request.env) != request.host end
#react(env)
Alias for Base#deny.
# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 24
alias react deny
#react_and_close(env, body)
[ GitHub ]# File 'rack-protection/lib/rack/protection/json_csrf.rb', line 47
def react_and_close(env, body) reaction = react(env) close_body(body) if reaction reaction end