class Rack::Protection::JsonCsrf

Prevented attack

CSRF

Supported browsers

all

More infos

flask.pocoo.org/docs/security/#json-security

JSON GET APIs are vulnerable to being embedded as JavaScript while the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.

Public Instance Methods

call(env) click to toggle source
# File lib/rack/protection/json_csrf.rb, line 16
def call(env)
  request               = Request.new(env)
  status, headers, body = app.call(env)

  if has_vector? request, headers
    warn env, "attack prevented by #{self.class}"
    react(env) or [status, headers, body]
  else
    [status, headers, body]
  end
end
has_vector?(request, headers) click to toggle source
# File lib/rack/protection/json_csrf.rb, line 28
def has_vector?(request, headers)
  return false if request.xhr?
  return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
  origin(request.env).nil? and referrer(request.env) != request.host
end