123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::RemoteToken

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
Instance Chain:
Inherits: Rack::Protection::AuthenticityToken
Defined in: rack-protection/lib/rack/protection/remote_token.rb

Overview

Prevented attack

CSRF

Supported browsers

all

More infos

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Only accepts unsafe HTTP requests if a given access token matches the token included in the session or the request comes from the same origin.

Compatible with rack-csrf.

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

AuthenticityToken - Inherited

GLOBAL_TOKEN_IDENTIFIER, TOKEN_LENGTH

Class Method Summary

AuthenticityToken - Inherited

.random_token,
.token

Access the token from the given session.

Base - Inherited

.default_options

Used by subclasses to declare default values for options they require.

.default_reaction

Used by subclasses to declare default reaction when a request is rejected.

.new

Instance Attribute Summary

Base - Inherited

Instance Method Summary

AuthenticityToken - Inherited

#accepts?, #mask_authenticity_token, #compare_with_global_token, #compare_with_per_form_token, #compare_with_real_token, #decode_token, #encode_token, #global_token,
#mask_token

Creates a masked version of the authenticity token that varies on each request.

#masked_token?, #per_form_token, #real_token, #set_token, #token_hmac,
#unmask_token

Essentially the inverse of mask_token.

#unmasked_token?,
#valid_token?

Checks the client's masked token to see if it matches the session token.

#xor_byte_strings

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.

#deny

Deny the request.

#drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer,
#report

When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false).

#safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Instance Method Details

#accepts?(env) ⇒ Boolean

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/remote_token.rb', line 19

def accepts?(env)
  super or referrer(env) == Request.new(env).host
end