class Rack::Protection::JsonCsrf
- Prevented attack
-
CSRF
- Supported browsers
-
all
- More infos
JSON GET APIs are vulnerable to being embedded as JavaScript while the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.
Public Instance Methods
call(env)
click to toggle source
# File lib/rack/protection/json_csrf.rb, line 16 def call(env) request = Request.new(env) status, headers, body = app.call(env) if has_vector? request, headers warn env, "attack prevented by #{self.class}" react(env) or [status, headers, body] else [status, headers, body] end end
has_vector?(request, headers)
click to toggle source
# File lib/rack/protection/json_csrf.rb, line 28 def has_vector?(request, headers) return false if request.xhr? return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/ origin(request.env).nil? and referrer(request.env) != request.host end