diff options
| author | Dávid Halász <dhalasz@redhat.com> | 2016-09-21 14:55:25 +0200 |
|---|---|---|
| committer | Dávid Halász <dhalasz@redhat.com> | 2016-09-21 16:10:46 +0200 |
| commit | 268c340b0909bd78259e58b1ed0b53133d924199 (patch) | |
| tree | 547d9bbf49af12fd29da581f3baa7cec8fa591e4 /actioncable/lib/action_cable/connection/base.rb | |
| parent | 19966242163611e61d45ee4033f28aa6f967906a (diff) | |
| download | rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.gz rails-268c340b0909bd78259e58b1ed0b53133d924199.tar.bz2 rails-268c340b0909bd78259e58b1ed0b53133d924199.zip | |
Optionally allow ActionCable requests from the same host as origin
When the `allow_same_origin_as_host` is set to `true`, the request
forgery protection permits `HTTP_ORIGIN` values starting with the
corresponding `proto://` prefix followed by `HTTP_HOST`. This way
it is not required to specify the list of allowed URLs.
Diffstat (limited to 'actioncable/lib/action_cable/connection/base.rb')
| -rw-r--r-- | actioncable/lib/action_cable/connection/base.rb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/actioncable/lib/action_cable/connection/base.rb b/actioncable/lib/action_cable/connection/base.rb index 4c7fcc1434..76706a7465 100644 --- a/actioncable/lib/action_cable/connection/base.rb +++ b/actioncable/lib/action_cable/connection/base.rb @@ -195,8 +195,11 @@ module ActionCable def allow_request_origin? return true if server.config.disable_request_forgery_protection + proto = Rack::Request.new(env).ssl? ? "https" : "http" if Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env["HTTP_ORIGIN"] } true + elsif server.config.allow_same_origin_as_host && env["HTTP_ORIGIN"] == "#{proto}://#{env['HTTP_HOST']}" + true else logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") false |