diff options
| author | Matthew Draper <matthew@trebex.net> | 2016-10-11 12:51:10 +1030 |
|---|---|---|
| committer | Matthew Draper <matthew@trebex.net> | 2016-10-11 12:51:10 +1030 |
| commit | dae404473409fcab0e07976aec626df670e52282 (patch) | |
| tree | 996635fbf7b16974d98683235dc57ea3f88b0ab8 /actioncable/CHANGELOG.md | |
| parent | f8c53eff7be9a5670e3c0da5851312977becb308 (diff) | |
| download | rails-dae404473409fcab0e07976aec626df670e52282.tar.gz rails-dae404473409fcab0e07976aec626df670e52282.tar.bz2 rails-dae404473409fcab0e07976aec626df670e52282.zip | |
Permit same-origin connections by default
WebSocket always defers the decision to the server, because it didn't
have to deal with legacy compatibility... but the same-origin policy is
still a reasonable default.
Origin checks do not protect against a directly connecting attacker --
they can lie about their host, but can also lie about their origin.
Origin checks protect against a connection from 3rd-party controlled
script in a context where a victim browser's cookies will be passed
along. And if an attacker has breached that protection, they've already
compromised the HTTP session, so treating the WebSocket connection in
the same way seems reasonable.
In case this logic proves incorrect (or anyone just wants to be more
paranoid), we retain a config option to disable it.
Diffstat (limited to 'actioncable/CHANGELOG.md')
| -rw-r--r-- | actioncable/CHANGELOG.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md index 137c88d91b..d70d32ce07 100644 --- a/actioncable/CHANGELOG.md +++ b/actioncable/CHANGELOG.md @@ -1,3 +1,10 @@ +* Permit same-origin connections by default. + + New option `config.action_cable.allow_same_origin_as_host = false` + to disable. + + *Dávid Halász*, *Matthew Draper* + * Prevent race where the client could receive and act upon a subscription confirmation before the channel's `subscribed` method completed. |