aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2015-12-13 14:24:28 +0100
committerDavid Heinemeier Hansson <david@loudthinking.com>2015-12-13 14:24:28 +0100
commit5fec4b96ffadf1624e6840d7446d78dba40add30 (patch)
tree931ef48e7bc1ed0807d112a1812ab0157004a8ac
parentc362beab2edd3dcae248dfaaaf3e0dee12baafa8 (diff)
parent1c6fb5e3975a96e70684965ca47291206caab6c3 (diff)
downloadrails-5fec4b96ffadf1624e6840d7446d78dba40add30.tar.gz
rails-5fec4b96ffadf1624e6840d7446d78dba40add30.tar.bz2
rails-5fec4b96ffadf1624e6840d7446d78dba40add30.zip
Merge pull request #130 from adamliesko/allow_regexps_allowed_origins
Allow regexp for a allowed_request_origins array
Diffstat
-rw-r--r--README.md6
-rw-r--r--lib/action_cable/connection/base.rb2
-rw-r--r--test/connection/cross_site_forgery_test.rb14
3 files changed, 18 insertions, 4 deletions
diff --git a/README.md b/README.md
index ebc505db19..bbc5858c0d 100644
--- a/README.md
+++ b/README.md
@@ -304,10 +304,10 @@ ActionCable.server.config.redis_path = Rails.root('somewhere/else/cable.yml')
### Allowed Request Origins
-Action Cable will only accepting requests from specified origins, which are passed to the server config as an array:
+Action Cable will only accept requests from specified origins, which are passed to the server config as an array. The origins can be instances of strings or regular expressions, against which a check for match will be performed.
```ruby
-ActionCable.server.config.allowed_request_origins = %w( http://rubyonrails.com )
+ActionCable.server.config.allowed_request_origins = ['http://rubyonrails.com', /http:\/\/ruby.*/]
```
To disable and allow requests from any origin:
@@ -437,4 +437,4 @@ Action Cable is released under the MIT license:
Bug reports can be filed for the alpha development project here:
-* https://github.com/rails/actioncable/issues \ No newline at end of file
+* https://github.com/rails/actioncable/issues
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb
index b93b6a8a50..7e9eec7508 100644
--- a/lib/action_cable/connection/base.rb
+++ b/lib/action_cable/connection/base.rb
@@ -172,7 +172,7 @@ module ActionCable
def allow_request_origin?
return true if server.config.disable_request_forgery_protection
- if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN']
+ if Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env['HTTP_ORIGIN'] }
true
else
logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
index 166abb7b38..ede3057e30 100644
--- a/test/connection/cross_site_forgery_test.rb
+++ b/test/connection/cross_site_forgery_test.rb
@@ -40,6 +40,20 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
assert_origin_not_allowed 'http://hax.com'
end
+ test "explicitly specified a single regexp allowed origin" do
+ @server.config.allowed_request_origins = /.*ha.*/
+ assert_origin_not_allowed 'http://rubyonrails.com'
+ assert_origin_allowed 'http://hax.com'
+ end
+
+ test "explicitly specified multiple regexp allowed origins" do
+ @server.config.allowed_request_origins = [/http:\/\/ruby.*/, /.*rai.s.*com/, 'string' ]
+ assert_origin_allowed 'http://rubyonrails.com'
+ assert_origin_allowed 'http://www.rubyonrails.com'
+ assert_origin_not_allowed 'http://hax.com'
+ assert_origin_not_allowed 'http://rails.co.uk'
+ end
+
private
def assert_origin_allowed(origin)
response = connect_with_origin origin
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-02 12:40:06 +0000