diff options
author | Pratik Naik <pratiknaik@gmail.com> | 2015-10-07 11:24:20 -0500 |
---|---|---|
committer | Pratik Naik <pratiknaik@gmail.com> | 2015-10-07 11:24:20 -0500 |
commit | 04317173a02eb67c103364b5c8b5756ac61fac98 (patch) | |
tree | f7d7a6af91eac536cf420a57e03b5c3493741e8e /lib/action_cable/connection/base.rb | |
parent | 91d6db34357634eaa0903b5c05a5db8b10066366 (diff) | |
download | rails-04317173a02eb67c103364b5c8b5756ac61fac98.tar.gz rails-04317173a02eb67c103364b5c8b5756ac61fac98.tar.bz2 rails-04317173a02eb67c103364b5c8b5756ac61fac98.zip |
First take at cross site forgery protection
Diffstat (limited to 'lib/action_cable/connection/base.rb')
-rw-r--r-- | lib/action_cable/connection/base.rb | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb index 08a75156a3..a2ef99dff4 100644 --- a/lib/action_cable/connection/base.rb +++ b/lib/action_cable/connection/base.rb @@ -71,7 +71,7 @@ module ActionCable def process logger.info started_request_message - if websocket.possible? + if websocket.possible? && allow_request_origin? websocket.on(:open) { |event| send_async :on_open } websocket.on(:message) { |event| on_message event.data } websocket.on(:close) { |event| send_async :on_close } @@ -165,6 +165,28 @@ module ActionCable end + def allow_request_origin? + return true if server.config.disable_request_forgery_protection + + if env['HTTP_ORIGIN'].present? + origin_host = URI.parse(env['HTTP_ORIGIN']).host + + allowed = if server.config.allowed_request_origins.present? + Array.wrap(server.config.allowed_request_origins).include? origin_host + else + request.host == origin_host + end + + logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") unless allowed + allowed + else + logger.error("Request origin missing.") + false + end + rescue URI::InvalidURIError + false + end + def respond_to_successful_request websocket.rack_response end |