Add option to verify Origin header in CSRF checks

author: Ben Toews <mastahyeti@users.noreply.github.com> 2015-11-25 15:06:12 -0700
committer: Ben Toews <mastahyeti@users.noreply.github.com> 2015-11-25 15:06:12 -0700
commit: 85783534fcf1baefa5b502a2bfee235ae6d612d7 (patch)
tree: 64c3c3fe095f7da41c309a238f1c02186eccd08f /actionpack/lib/action_dispatch
parent: cb67c819338d75c07a591dc23759747c740a5088 (diff)
download: rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.tar.gz
rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.tar.bz2
rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
index ea61ad0c02..0c8d0a5d14 100644
--- a/actionpack/lib/action_dispatch/http/request.rb
+++ b/actionpack/lib/action_dispatch/http/request.rb
@@ -36,8 +36,8 @@ module ActionDispatch
         HTTP_ACCEPT HTTP_ACCEPT_CHARSET HTTP_ACCEPT_ENCODING
         HTTP_ACCEPT_LANGUAGE HTTP_CACHE_CONTROL HTTP_FROM
         HTTP_NEGOTIATE HTTP_PRAGMA HTTP_CLIENT_IP
-        HTTP_X_FORWARDED_FOR HTTP_VERSION
-        HTTP_X_REQUEST_ID HTTP_X_FORWARDED_HOST
+        HTTP_X_FORWARDED_FOR HTTP_ORIGIN HTTP_VERSION
+        HTTP_X_CSRF_TOKEN HTTP_X_REQUEST_ID HTTP_X_FORWARDED_HOST
         SERVER_ADDR
         ].freeze
author	Ben Toews <mastahyeti@users.noreply.github.com>	2015-11-25 15:06:12 -0700
committer	Ben Toews <mastahyeti@users.noreply.github.com>	2015-11-25 15:06:12 -0700
commit	85783534fcf1baefa5b502a2bfee235ae6d612d7 (patch)
tree	64c3c3fe095f7da41c309a238f1c02186eccd08f /actionpack/lib/action_dispatch
parent	cb67c819338d75c07a591dc23759747c740a5088 (diff)
download	rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.tar.gz rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.tar.bz2 rails-85783534fcf1baefa5b502a2bfee235ae6d612d7.zip