aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
diff options
context:
space:
mode:
authorJack McCracken <jack.mccracken@shopify.com>2017-10-02 16:35:13 -0400
committerJack McCracken <jack.mccracken@shopify.com>2017-11-03 13:34:57 -0400
commitacdba1c6a653bf5c787d3457af95b37708be1e2b (patch)
treec85ea841a78d034da6d4b139f87c8243c056a274 /actionpack/lib/action_controller/metal/request_forgery_protection.rb
parent9ec67362054e874ed905310a79b670941fa397af (diff)
downloadrails-acdba1c6a653bf5c787d3457af95b37708be1e2b.tar.gz
rails-acdba1c6a653bf5c787d3457af95b37708be1e2b.tar.bz2
rails-acdba1c6a653bf5c787d3457af95b37708be1e2b.zip
Add a better error message when a "null" Origin header occurs
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb10
1 files changed, 10 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index d6cd5fd9e0..b2e6f86eeb 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -414,11 +414,21 @@ module ActionController #:nodoc:
allow_forgery_protection
end
+ NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc
+ The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
+ means you have the 'no-referrer' Referrer-Policy header enabled, or that you the request came from a site that
+ refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
+ best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
+ If you cannot change the referrer policy, you can disable origin checking with the
+ Rails.application.config.action_controller.forgery_protection_origin_check setting.
+ MSG
+
# Checks if the request originated from the same origin by looking at the
# Origin header.
def valid_request_origin? # :doc:
if forgery_protection_origin_check
# We accept blank origin headers because some user agents don't send it.
+ raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null"
request.origin.nil? || request.origin == request.base_url
else
true