diff options
author | Dávid Halász <dhalasz@redhat.com> | 2016-09-21 14:55:25 +0200 |
---|---|---|
committer | Dávid Halász <dhalasz@redhat.com> | 2016-09-21 16:10:46 +0200 |
commit | 268c340b0909bd78259e58b1ed0b53133d924199 (patch) | |
tree | 547d9bbf49af12fd29da581f3baa7cec8fa591e4 /actioncable/README.md | |
parent | 19966242163611e61d45ee4033f28aa6f967906a (diff) | |
download | rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.gz rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.bz2 rails-268c340b0909bd78259e58b1ed0b53133d924199.zip |
Optionally allow ActionCable requests from the same host as origin
When the `allow_same_origin_as_host` is set to `true`, the request
forgery protection permits `HTTP_ORIGIN` values starting with the
corresponding `proto://` prefix followed by `HTTP_HOST`. This way
it is not required to specify the list of allowed URLs.
Diffstat (limited to 'actioncable/README.md')
-rw-r--r-- | actioncable/README.md | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actioncable/README.md b/actioncable/README.md index 28e2602cbf..28a5d303fe 100644 --- a/actioncable/README.md +++ b/actioncable/README.md @@ -340,6 +340,11 @@ To disable and allow requests from any origin: Rails.application.config.action_cable.disable_request_forgery_protection = true ``` +It is also possible to allow origins that are starting with the actual HTTP HOST header: +```ruby +Rails.application.config.action_cable.allow_same_origin_as_host = true +``` + ### Consumer Configuration Once you have decided how to run your cable server (see below), you must provide the server URL (or path) to your client-side setup. |