aboutsummaryrefslogtreecommitdiffstats
path: root/actioncable/test/connection
diff options
context:
space:
mode:
authorMatthew Draper <matthew@trebex.net>2016-10-11 12:51:10 +1030
committerMatthew Draper <matthew@trebex.net>2016-10-11 12:51:10 +1030
commitdae404473409fcab0e07976aec626df670e52282 (patch)
tree996635fbf7b16974d98683235dc57ea3f88b0ab8 /actioncable/test/connection
parentf8c53eff7be9a5670e3c0da5851312977becb308 (diff)
downloadrails-dae404473409fcab0e07976aec626df670e52282.tar.gz
rails-dae404473409fcab0e07976aec626df670e52282.tar.bz2
rails-dae404473409fcab0e07976aec626df670e52282.zip
Permit same-origin connections by default
WebSocket always defers the decision to the server, because it didn't have to deal with legacy compatibility... but the same-origin policy is still a reasonable default. Origin checks do not protect against a directly connecting attacker -- they can lie about their host, but can also lie about their origin. Origin checks protect against a connection from 3rd-party controlled script in a context where a victim browser's cookies will be passed along. And if an attacker has breached that protection, they've already compromised the HTTP session, so treating the WebSocket connection in the same way seems reasonable. In case this logic proves incorrect (or anyone just wants to be more paranoid), we retain a config option to disable it.
Diffstat (limited to 'actioncable/test/connection')
-rw-r--r--actioncable/test/connection/cross_site_forgery_test.rb3
1 files changed, 2 insertions, 1 deletions
diff --git a/actioncable/test/connection/cross_site_forgery_test.rb b/actioncable/test/connection/cross_site_forgery_test.rb
index 6cabff5440..37bedfd734 100644
--- a/actioncable/test/connection/cross_site_forgery_test.rb
+++ b/actioncable/test/connection/cross_site_forgery_test.rb
@@ -13,12 +13,13 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
setup do
@server = TestServer.new
@server.config.allowed_request_origins = %w( http://rubyonrails.com )
+ @server.config.allow_same_origin_as_host = false
end
teardown do
@server.config.disable_request_forgery_protection = false
@server.config.allowed_request_origins = []
- @server.config.allow_same_origin_as_host = false
+ @server.config.allow_same_origin_as_host = true
end
test "disable forgery protection" do