aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lib/action_cable/connection/base.rb17
-rw-r--r--test/connection/base_test.rb3
-rw-r--r--test/connection/cross_site_forgery_test.rb12
3 files changed, 11 insertions, 21 deletions
diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb
index 5bf7086b60..f7c5f050d8 100644
--- a/lib/action_cable/connection/base.rb
+++ b/lib/action_cable/connection/base.rb
@@ -168,23 +168,12 @@ module ActionCable
def allow_request_origin?
return true if server.config.disable_request_forgery_protection
- if env['HTTP_ORIGIN'].present?
- origin_host = URI.parse(env['HTTP_ORIGIN']).host
-
- allowed = if server.config.allowed_request_origins.present?
- Array(server.config.allowed_request_origins).include? origin_host
- else
- request.host == origin_host
- end
-
- logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") unless allowed
- allowed
+ if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN']
+ true
else
- logger.error("Request origin missing.")
+ logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
false
end
- rescue URI::InvalidURIError
- false
end
def respond_to_successful_request
diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb
index 6c8bacde9a..bc8b5ba568 100644
--- a/test/connection/base_test.rb
+++ b/test/connection/base_test.rb
@@ -16,9 +16,10 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
setup do
@server = TestServer.new
+ @server.config.allowed_request_origins = %w( http://rubyonrails.com )
env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket',
- 'SERVER_NAME' => 'rubyonrails.com', 'HTTP_ORIGIN' => 'http://rubyonrails.com'
+ 'HTTP_ORIGIN' => 'http://rubyonrails.com'
@connection = Connection.new(@server, env)
@response = @connection.process
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
index b904dbd8b6..6073f89287 100644
--- a/test/connection/cross_site_forgery_test.rb
+++ b/test/connection/cross_site_forgery_test.rb
@@ -6,11 +6,12 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
setup do
@server = TestServer.new
+ @server.config.allowed_request_origins = %w( http://rubyonrails.com )
end
- test "default cross site forgery protection only allows origin same as the server host" do
- assert_origin_allowed 'http://rubyonrails.com'
- assert_origin_not_allowed 'http://hax.com'
+ teardown do
+ @server.config.disable_request_forgery_protection = false
+ @server.config.allowed_request_origins = []
end
test "disable forgery protection" do
@@ -20,16 +21,15 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
end
test "explicitly specified a single allowed origin" do
- @server.config.allowed_request_origins = 'hax.com'
+ @server.config.allowed_request_origins = 'http://hax.com'
assert_origin_not_allowed 'http://rubyonrails.com'
assert_origin_allowed 'http://hax.com'
end
test "explicitly specified multiple allowed origins" do
- @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com )
+ @server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )
assert_origin_allowed 'http://rubyonrails.com'
assert_origin_allowed 'http://www.rubyonrails.com'
- assert_origin_allowed 'https://www.rubyonrails.com'
assert_origin_not_allowed 'http://hax.com'
end