diff options
| -rw-r--r-- | actioncable/CHANGELOG.md | 7 | ||||
| -rw-r--r-- | actioncable/README.md | 13 | ||||
| -rw-r--r-- | actioncable/lib/action_cable/connection/base.rb | 4 | ||||
| -rw-r--r-- | actioncable/lib/action_cable/server/configuration.rb | 2 | ||||
| -rw-r--r-- | actioncable/test/connection/cross_site_forgery_test.rb | 3 |
5 files changed, 21 insertions, 8 deletions
diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md index 137c88d91b..d70d32ce07 100644 --- a/actioncable/CHANGELOG.md +++ b/actioncable/CHANGELOG.md @@ -1,3 +1,10 @@ +* Permit same-origin connections by default. + + New option `config.action_cable.allow_same_origin_as_host = false` + to disable. + + *Dávid Halász*, *Matthew Draper* + * Prevent race where the client could receive and act upon a subscription confirmation before the channel's `subscribed` method completed. diff --git a/actioncable/README.md b/actioncable/README.md index 30b86edd2e..8ad9aeb1f1 100644 --- a/actioncable/README.md +++ b/actioncable/README.md @@ -326,7 +326,10 @@ Rails.application.paths.add "config/cable", with: "somewhere/else/cable.yml" ### Allowed Request Origins -Action Cable will only accept requests from specified origins, which are passed to the server config as an array. The origins can be instances of strings or regular expressions, against which a check for match will be performed. +Action Cable will only accept requests from specific origins. + +By default, only an origin matching the cable server itself will be permitted. +Additional origins can be specified using strings or regular expressions, provided in an array. ```ruby Rails.application.config.action_cable.allowed_request_origins = ['http://rubyonrails.com', /http:\/\/ruby.*/] @@ -334,15 +337,17 @@ Rails.application.config.action_cable.allowed_request_origins = ['http://rubyonr When running in the development environment, this defaults to "http://localhost:3000". -To disable and allow requests from any origin: +To disable protection and allow requests from any origin: ```ruby Rails.application.config.action_cable.disable_request_forgery_protection = true ``` -It is also possible to allow origins that are starting with the actual HTTP HOST header: +To disable automatic access for same-origin requests, and strictly allow +only the configured origins: + ```ruby -Rails.application.config.action_cable.allow_same_origin_as_host = true +Rails.application.config.action_cable.allow_same_origin_as_host = false ``` ### Consumer Configuration diff --git a/actioncable/lib/action_cable/connection/base.rb b/actioncable/lib/action_cable/connection/base.rb index 2596635701..dfee123ea2 100644 --- a/actioncable/lib/action_cable/connection/base.rb +++ b/actioncable/lib/action_cable/connection/base.rb @@ -196,9 +196,9 @@ module ActionCable return true if server.config.disable_request_forgery_protection proto = Rack::Request.new(env).ssl? ? "https" : "http" - if Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env["HTTP_ORIGIN"] } + if server.config.allow_same_origin_as_host && env["HTTP_ORIGIN"] == "#{proto}://#{env['HTTP_HOST']}" true - elsif server.config.allow_same_origin_as_host && env["HTTP_ORIGIN"] == "#{proto}://#{env['HTTP_HOST']}" + elsif Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env["HTTP_ORIGIN"] } true else logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") diff --git a/actioncable/lib/action_cable/server/configuration.rb b/actioncable/lib/action_cable/server/configuration.rb index aa8d10b3d4..17e0dee064 100644 --- a/actioncable/lib/action_cable/server/configuration.rb +++ b/actioncable/lib/action_cable/server/configuration.rb @@ -15,7 +15,7 @@ module ActionCable @worker_pool_size = 4 @disable_request_forgery_protection = false - @allow_same_origin_as_host = false + @allow_same_origin_as_host = true end # Returns constant of subscription adapter specified in config/cable.yml. diff --git a/actioncable/test/connection/cross_site_forgery_test.rb b/actioncable/test/connection/cross_site_forgery_test.rb index 6cabff5440..37bedfd734 100644 --- a/actioncable/test/connection/cross_site_forgery_test.rb +++ b/actioncable/test/connection/cross_site_forgery_test.rb @@ -13,12 +13,13 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase setup do @server = TestServer.new @server.config.allowed_request_origins = %w( http://rubyonrails.com ) + @server.config.allow_same_origin_as_host = false end teardown do @server.config.disable_request_forgery_protection = false @server.config.allowed_request_origins = [] - @server.config.allow_same_origin_as_host = false + @server.config.allow_same_origin_as_host = true end test "disable forgery protection" do |