aboutsummaryrefslogtreecommitdiffstats
path: root/actioncable/test/connection/cross_site_forgery_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|
* Permit same-origin connections by defaultMatthew Draper2016-10-111-1/+2
| | | | | | | | | | | | | | | | | WebSocket always defers the decision to the server, because it didn't have to deal with legacy compatibility... but the same-origin policy is still a reasonable default. Origin checks do not protect against a directly connecting attacker -- they can lie about their host, but can also lie about their origin. Origin checks protect against a connection from 3rd-party controlled script in a context where a victim browser's cookies will be passed along. And if an attacker has breached that protection, they've already compromised the HTTP session, so treating the WebSocket connection in the same way seems reasonable. In case this logic proves incorrect (or anyone just wants to be more paranoid), we retain a config option to disable it.
* Optionally allow ActionCable requests from the same host as originDávid Halász2016-09-211-0/+8
| | | | | | | When the `allow_same_origin_as_host` is set to `true`, the request forgery protection permits `HTTP_ORIGIN` values starting with the corresponding `proto://` prefix followed by `HTTP_HOST`. This way it is not required to specify the list of allowed URLs.
* applies new string literal convention in actioncable/testXavier Noria2016-08-061-20/+20
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Support faye-websocket + EventMachine as an optionMatthew Draper2016-03-021-1/+1
|
* Revert "Merge pull request #22977 from rails/revert-22934-master"David Heinemeier Hansson2016-01-161-1/+0
| | | | | This reverts commit d0393fccffc118a5de37654aa222774b66123393, reversing changes made to 3b7ccadfc1c8dfec61af898167e1300b17f5cf25.
* Revert "Move async execution from celluloid to concurrent-ruby"David Heinemeier Hansson2016-01-081-0/+1
|
* Remove celluloid referencesMike Perham2016-01-051-1/+0
|
* Remove warnings from actioncableArun Agrawal2015-12-171-1/+1
| | | | Warnings coming from code and test are removed
* Get ready to merge into RailsDavid Heinemeier Hansson2015-12-141-0/+82