From 268c340b0909bd78259e58b1ed0b53133d924199 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=C3=A1vid=20Hal=C3=A1sz?= <dhalasz@redhat.com>
Date: Wed, 21 Sep 2016 14:55:25 +0200
Subject: Optionally allow ActionCable requests from the same host as origin

When the `allow_same_origin_as_host` is set to `true`, the request
forgery protection permits `HTTP_ORIGIN` values starting with the
corresponding `proto://` prefix followed by `HTTP_HOST`. This way
it is not required to specify the list of allowed URLs.
---
 actioncable/lib/action_cable/connection/base.rb | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'actioncable/lib/action_cable/connection')

diff --git a/actioncable/lib/action_cable/connection/base.rb b/actioncable/lib/action_cable/connection/base.rb
index 4c7fcc1434..76706a7465 100644
--- a/actioncable/lib/action_cable/connection/base.rb
+++ b/actioncable/lib/action_cable/connection/base.rb
@@ -195,8 +195,11 @@ module ActionCable
         def allow_request_origin?
           return true if server.config.disable_request_forgery_protection
 
+          proto = Rack::Request.new(env).ssl? ? "https" : "http"
           if Array(server.config.allowed_request_origins).any? { |allowed_origin|  allowed_origin === env["HTTP_ORIGIN"] }
             true
+          elsif server.config.allow_same_origin_as_host && env["HTTP_ORIGIN"] == "#{proto}://#{env['HTTP_HOST']}"
+            true
           else
             logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
             false
-- 
cgit v1.2.3