/vendor/bundle/jruby/2.1/gems/rack-protection-1.5.3/lib/rack/protection/http_origin.rb
https://github.com/delowong/logstash · Ruby · 32 lines · 20 code · 4 blank · 8 comment · 3 complexity · c8f41f223e0fd52eeaf7f270691bfdc9 MD5 · raw file
- require 'rack/protection'
- module Rack
- module Protection
- ##
- # Prevented attack:: CSRF
- # Supported browsers:: Google Chrome 2, Safari 4 and later
- # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
- # http://tools.ietf.org/html/draft-abarth-origin
- #
- # Does not accept unsafe HTTP requests when value of Origin HTTP request header
- # does not match default or whitelisted URIs.
- class HttpOrigin < Base
- DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
- default_reaction :deny
- def base_url(env)
- request = Rack::Request.new(env)
- port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
- "#{request.scheme}://#{request.host}#{port}"
- end
- def accepts?(env)
- return true if safe? env
- return true unless origin = env['HTTP_ORIGIN']
- return true if base_url(env) == origin
- Array(options[:origin_whitelist]).include? origin
- end
- end
- end
- end