3 files changed, 18 insertions, 4 deletions

diff --git a/README.md b/README.md
index 601d5764e0..48a8cbfbe6 100644
--- a/README.md
+++ b/README.md
@@ -304,10 +304,10 @@ ActionCable.server.config.redis_path = Rails.root('somewhere/else/cable.yml')
 
 ### Allowed Request Origins
 
-Action Cable will only accepting requests from specified origins, which are passed to the server config as an array:
+Action Cable will only accept requests from specified origins, which are passed to the server config as an array. The origins can be instances of strings or regular expressions, against which a check for match will be performed.
 
 ```ruby
-ActionCable.server.config.allowed_request_origins = %w( http://rubyonrails.com )
+ActionCable.server.config.allowed_request_origins = ['http://rubyonrails.com', /http:\/\/ruby.*/]
 ```
 
 To disable and allow requests from any origin:
@@ -457,4 +457,4 @@ Action Cable is released under the MIT license:
 
 Bug reports can be filed for the alpha development project here:
 
-* https://github.com/rails/actioncable/issues
\ No newline at end of file
+* https://github.com/rails/actioncable/issues
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb
index b93b6a8a50..7e9eec7508 100644
--- a/lib/action_cable/connection/base.rb
+++ b/lib/action_cable/connection/base.rb
@@ -172,7 +172,7 @@ module ActionCable
         def allow_request_origin?
           return true if server.config.disable_request_forgery_protection
 
-          if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN']
+          if Array(server.config.allowed_request_origins).any? { |allowed_origin|  allowed_origin === env['HTTP_ORIGIN'] }
             true
           else
             logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
index 166abb7b38..ede3057e30 100644
--- a/test/connection/cross_site_forgery_test.rb
+++ b/test/connection/cross_site_forgery_test.rb
@@ -40,6 +40,20 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
     assert_origin_not_allowed 'http://hax.com'
   end
 
+  test "explicitly specified a single regexp allowed origin" do
+    @server.config.allowed_request_origins = /.*ha.*/
+    assert_origin_not_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://hax.com'
+  end
+
+  test "explicitly specified multiple regexp allowed origins" do
+    @server.config.allowed_request_origins = [/http:\/\/ruby.*/, /.*rai.s.*com/, 'string' ]
+    assert_origin_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://www.rubyonrails.com'
+    assert_origin_not_allowed 'http://hax.com'
+    assert_origin_not_allowed 'http://rails.co.uk'
+  end
+
   private
     def assert_origin_allowed(origin)
       response = connect_with_origin origin