/vendor/bundle/jruby/2.1/gems/rack-protection-1.5.3/lib/rack/protection/http_origin.rb

 1require 'rack/protection'
 2
 3module Rack
 4  module Protection
 5    ##
 6    # Prevented attack::   CSRF
 7    # Supported browsers:: Google Chrome 2, Safari 4 and later
 8    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
 9    #                      http://tools.ietf.org/html/draft-abarth-origin
10    #
11    # Does not accept unsafe HTTP requests when value of Origin HTTP request header
12    # does not match default or whitelisted URIs.
13    class HttpOrigin < Base
14      DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
15      default_reaction :deny
16
17      def base_url(env)
18        request = Rack::Request.new(env)
19        port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
20        "#{request.scheme}://#{request.host}#{port}"
21      end
22
23      def accepts?(env)
24        return true if safe? env
25        return true unless origin = env['HTTP_ORIGIN']
26        return true if base_url(env) == origin
27        Array(options[:origin_whitelist]).include? origin
28      end
29
30    end
31  end
32end