Improve logging when Origin header doesn't match

I came up against this while dealing with a misconfigured server. The
browser was setting the Origin header to "https://example.com", but the
Rails app returned "http://example.com" from request.base_url (because
it was failing to detect that HTTPS was used).

This caused verify_authenticity_token to fail, but the message in the
log was "Can't verify CSRF token", which is confusing because the
failure had nothing to do with the CSRF token sent in the request. This
made it very hard to identify the issue, so hopefully this will make it
more obvious for the next person.

1 files changed, 5 insertions, 1 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index d9a8b9c12d..5051c02a62 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -213,7 +213,11 @@ module ActionController #:nodoc:
 
         if !verified_request?
           if logger && log_warning_on_csrf_failure
-            logger.warn "Can't verify CSRF token authenticity."
+            if valid_request_origin?
+              logger.warn "Can't verify CSRF token authenticity."
+            else
+              logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+            end
           end
           handle_unverified_request
         end