class Rack::Protection::HttpOrigin
- Prevented attack
-
CSRF
- Supported browsers
-
Google Chrome 2, Safari 4 and later
- More infos
-
en.wikipedia.org/wiki/Cross-site_request_forgery tools.ietf.org/html/draft-abarth-origin
Does not accept unsafe HTTP requests when value of Origin HTTP request header does not match default or whitelisted URIs.
Constants
- DEFAULT_PORTS
Public Instance Methods
accepts?(env)
click to toggle source
# File lib/rack/protection/http_origin.rb, line 23 def accepts?(env) return true if safe? env return true unless origin = env['HTTP_ORIGIN'] return true if base_url(env) == origin Array(options[:origin_whitelist]).include? origin end
base_url(env)
click to toggle source
# File lib/rack/protection/http_origin.rb, line 17 def base_url(env) request = Rack::Request.new(env) port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme] "#{request.scheme}://#{request.host}#{port}" end