diff options
author | Sean Griffin <sean@seantheprogrammer.com> | 2017-12-07 14:19:39 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-12-07 14:19:39 -0700 |
commit | e88e6cea2113ce3e54410cbd8c2da92b86f83d2b (patch) | |
tree | 2c1b6cc96b6c0180382c20bb09162118cc697708 /actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
parent | e8286ee272a3e51daebc198519accd1f6895a8d2 (diff) | |
parent | acdba1c6a653bf5c787d3457af95b37708be1e2b (diff) | |
download | rails-e88e6cea2113ce3e54410cbd8c2da92b86f83d2b.tar.gz rails-e88e6cea2113ce3e54410cbd8c2da92b86f83d2b.tar.bz2 rails-e88e6cea2113ce3e54410cbd8c2da92b86f83d2b.zip |
Merge pull request #30780 from JackMc/fix-chrome-referrer-invalidauthenticitytoken
Fix issue #30658 by checking explicitly for 'null' referrer
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 04fadc90e2..767eddb361 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -415,11 +415,21 @@ module ActionController #:nodoc: allow_forgery_protection end + NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc + The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually + means you have the 'no-referrer' Referrer-Policy header enabled, or that you the request came from a site that + refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the + best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin. + If you cannot change the referrer policy, you can disable origin checking with the + Rails.application.config.action_controller.forgery_protection_origin_check setting. + MSG + # Checks if the request originated from the same origin by looking at the # Origin header. def valid_request_origin? # :doc: if forgery_protection_origin_check # We accept blank origin headers because some user agents don't send it. + raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null" request.origin.nil? || request.origin == request.base_url else true |