aboutsummaryrefslogtreecommitdiffstats
path: root/actioncable/lib/action_cable/connection
diff options
context:
space:
mode:
authorMatthew Draper <matthew@trebex.net>2016-10-11 12:28:38 +1030
committerMatthew Draper <matthew@trebex.net>2016-10-11 12:28:38 +1030
commitf8c53eff7be9a5670e3c0da5851312977becb308 (patch)
tree280b4a0070cbc7a275ca79eaf3bd1bcf298697da /actioncable/lib/action_cable/connection
parentbc9dc418259f1db0f14ed895e8469b7839ef474b (diff)
parent268c340b0909bd78259e58b1ed0b53133d924199 (diff)
downloadrails-f8c53eff7be9a5670e3c0da5851312977becb308.tar.gz
rails-f8c53eff7be9a5670e3c0da5851312977becb308.tar.bz2
rails-f8c53eff7be9a5670e3c0da5851312977becb308.zip
Merge pull request #26568 from skateman/cable-sameorigin-as-host
Optionally allow ActionCable requests from the same host as origin
Diffstat (limited to 'actioncable/lib/action_cable/connection')
-rw-r--r--actioncable/lib/action_cable/connection/base.rb3
1 files changed, 3 insertions, 0 deletions
diff --git a/actioncable/lib/action_cable/connection/base.rb b/actioncable/lib/action_cable/connection/base.rb
index 06f4f5edd3..2596635701 100644
--- a/actioncable/lib/action_cable/connection/base.rb
+++ b/actioncable/lib/action_cable/connection/base.rb
@@ -195,8 +195,11 @@ module ActionCable
def allow_request_origin?
return true if server.config.disable_request_forgery_protection
+ proto = Rack::Request.new(env).ssl? ? "https" : "http"
if Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env["HTTP_ORIGIN"] }
true
+ elsif server.config.allow_same_origin_as_host && env["HTTP_ORIGIN"] == "#{proto}://#{env['HTTP_HOST']}"
+ true
else
logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
false