/vendor/bundle/jruby/2.1/gems/rack-protection-1.5.3/lib/rack/protection/http_origin.rb

https://github.com/delowong/logstash · Ruby · 32 lines · 20 code · 4 blank · 8 comment · 3 complexity · c8f41f223e0fd52eeaf7f270691bfdc9 MD5 · raw file 

    

  1. require 'rack/protection'
    2. 

  2. 

  3. module Rack
    4. 

  4.   module Protection
    5. 

  5.     ##
    6. 

  6.     # Prevented attack::   CSRF
    7. 

  7.     # Supported browsers:: Google Chrome 2, Safari 4 and later
    8. 

  8.     # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
    9. 

  9.     #                      http://tools.ietf.org/html/draft-abarth-origin
    10. 

  10.     #
    11. 

  11.     # Does not accept unsafe HTTP requests when value of Origin HTTP request header
    12. 

  12.     # does not match default or whitelisted URIs.
    13. 

  13.     class HttpOrigin < Base
    14. 

  14.       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
    15. 

  15.       default_reaction :deny
    16. 

  16. 

  17.       def base_url(env)
    18. 

  18.         request = Rack::Request.new(env)
    19. 

  19.         port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
    20. 

  20.         "#{request.scheme}://#{request.host}#{port}"
    21. 

  21.       end
    22. 

  22. 

  23.       def accepts?(env)
    24. 

  24.         return true if safe? env
    25. 

  25.         return true unless origin = env['HTTP_ORIGIN']
    26. 

  26.         return true if base_url(env) == origin
    27. 

  27.         Array(options[:origin_whitelist]).include? origin
    28. 

  28.       end
    29. 

  29. 

  30.     end
    31. 

  31.   end
    32. 

  32. end
    33.