Treat ORIGIN as an opaque identifier and do equality comparison with the specified whitelist

author: Pratik Naik <pratiknaik@gmail.com> 2015-10-12 18:14:14 -0500
committer: Pratik Naik <pratiknaik@gmail.com> 2015-10-12 18:14:14 -0500
commit: ecab8314eba8519bd593cbc097ef60ee0c285cf2 (patch)
tree: 4ee9d611985c3a3ee85b7247959d6f24a8ebccce /test/connection
parent: d621ae41c11398992647c600b484446ecc76a11b (diff)
download: rails-ecab8314eba8519bd593cbc097ef60ee0c285cf2.tar.gz
rails-ecab8314eba8519bd593cbc097ef60ee0c285cf2.tar.bz2
rails-ecab8314eba8519bd593cbc097ef60ee0c285cf2.zip
2 files changed, 8 insertions, 7 deletions
diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb
index 6c8bacde9a..bc8b5ba568 100644
--- a/test/connection/base_test.rb
+++ b/test/connection/base_test.rb
@@ -16,9 +16,10 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
 
   setup do
     @server = TestServer.new
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com )
 
     env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket',
-      'SERVER_NAME' => 'rubyonrails.com', 'HTTP_ORIGIN' => 'http://rubyonrails.com'
+      'HTTP_ORIGIN' => 'http://rubyonrails.com'
 
     @connection = Connection.new(@server, env)
     @response = @connection.process
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
index b904dbd8b6..6073f89287 100644
--- a/test/connection/cross_site_forgery_test.rb
+++ b/test/connection/cross_site_forgery_test.rb
@@ -6,11 +6,12 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
 
   setup do
     @server = TestServer.new
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com )
   end
 
-  test "default cross site forgery protection only allows origin same as the server host" do
-    assert_origin_allowed 'http://rubyonrails.com'
-    assert_origin_not_allowed 'http://hax.com'
+  teardown do
+    @server.config.disable_request_forgery_protection = false
+    @server.config.allowed_request_origins = []
   end
 
   test "disable forgery protection" do
@@ -20,16 +21,15 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
   end
 
   test "explicitly specified a single allowed origin" do
-    @server.config.allowed_request_origins = 'hax.com'
+    @server.config.allowed_request_origins = 'http://hax.com'
     assert_origin_not_allowed 'http://rubyonrails.com'
     assert_origin_allowed 'http://hax.com'
   end
 
   test "explicitly specified multiple allowed origins" do
-    @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com )
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )
     assert_origin_allowed 'http://rubyonrails.com'
     assert_origin_allowed 'http://www.rubyonrails.com'
-    assert_origin_allowed 'https://www.rubyonrails.com'
     assert_origin_not_allowed 'http://hax.com'
   end
author	Pratik Naik <pratiknaik@gmail.com>	2015-10-12 18:14:14 -0500
committer	Pratik Naik <pratiknaik@gmail.com>	2015-10-12 18:14:14 -0500
commit	ecab8314eba8519bd593cbc097ef60ee0c285cf2 (patch)
tree	4ee9d611985c3a3ee85b7247959d6f24a8ebccce /test/connection
parent	d621ae41c11398992647c600b484446ecc76a11b (diff)
download	rails-ecab8314eba8519bd593cbc097ef60ee0c285cf2.tar.gz rails-ecab8314eba8519bd593cbc097ef60ee0c285cf2.tar.bz2 rails-ecab8314eba8519bd593cbc097ef60ee0c285cf2.zip