/vendor/bundle/jruby/2.1/gems/rack-protection-1.5.3/lib/rack/protection/http_origin.rb

https://github.com/delowong/logstash · Ruby · 32 lines · 20 code · 4 blank · 8 comment · 3 complexity · c8f41f223e0fd52eeaf7f270691bfdc9 MD5 · raw file

  1. require 'rack/protection'
  2. module Rack
  3. module Protection
  4. ##
  5. # Prevented attack:: CSRF
  6. # Supported browsers:: Google Chrome 2, Safari 4 and later
  7. # More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
  8. # http://tools.ietf.org/html/draft-abarth-origin
  9. #
  10. # Does not accept unsafe HTTP requests when value of Origin HTTP request header
  11. # does not match default or whitelisted URIs.
  12. class HttpOrigin < Base
  13. DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
  14. default_reaction :deny
  15. def base_url(env)
  16. request = Rack::Request.new(env)
  17. port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
  18. "#{request.scheme}://#{request.host}#{port}"
  19. end
  20. def accepts?(env)
  21. return true if safe? env
  22. return true unless origin = env['HTTP_ORIGIN']
  23. return true if base_url(env) == origin
  24. Array(options[:origin_whitelist]).include? origin
  25. end
  26. end
  27. end
  28. end