Optionally allow ActionCable requests from the same host as origin

When the `allow_same_origin_as_host` is set to `true`, the request forgery protection permits `HTTP_ORIGIN` values starting with the corresponding `proto://` prefix followed by `HTTP_HOST`. This way it is not required to specify the list of allowed URLs.
author: Dávid Halász <dhalasz@redhat.com> 2016-09-21 14:55:25 +0200
committer: Dávid Halász <dhalasz@redhat.com> 2016-09-21 16:10:46 +0200
commit: 268c340b0909bd78259e58b1ed0b53133d924199 (patch)
tree: 547d9bbf49af12fd29da581f3baa7cec8fa591e4 /actioncable/README.md
parent: 19966242163611e61d45ee4033f28aa6f967906a (diff)
download: rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.gz
rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.bz2
rails-268c340b0909bd78259e58b1ed0b53133d924199.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/actioncable/README.md b/actioncable/README.md
index 28e2602cbf..28a5d303fe 100644
--- a/actioncable/README.md
+++ b/actioncable/README.md
@@ -340,6 +340,11 @@ To disable and allow requests from any origin:
 Rails.application.config.action_cable.disable_request_forgery_protection = true
 ```
 
+It is also possible to allow origins that are starting with the actual HTTP HOST header:
+```ruby
+Rails.application.config.action_cable.allow_same_origin_as_host = true
+```
+
 ### Consumer Configuration
 
 Once you have decided how to run your cable server (see below), you must provide the server URL (or path) to your client-side setup.
author	Dávid Halász <dhalasz@redhat.com>	2016-09-21 14:55:25 +0200
committer	Dávid Halász <dhalasz@redhat.com>	2016-09-21 16:10:46 +0200
commit	268c340b0909bd78259e58b1ed0b53133d924199 (patch)
tree	547d9bbf49af12fd29da581f3baa7cec8fa591e4 /actioncable/README.md
parent	19966242163611e61d45ee4033f28aa6f967906a (diff)
download	rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.gz rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.bz2 rails-268c340b0909bd78259e58b1ed0b53133d924199.zip