From 268c340b0909bd78259e58b1ed0b53133d924199 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=C3=A1vid=20Hal=C3=A1sz?= <dhalasz@redhat.com>
Date: Wed, 21 Sep 2016 14:55:25 +0200
Subject: Optionally allow ActionCable requests from the same host as origin

When the `allow_same_origin_as_host` is set to `true`, the request
forgery protection permits `HTTP_ORIGIN` values starting with the
corresponding `proto://` prefix followed by `HTTP_HOST`. This way
it is not required to specify the list of allowed URLs.
---
 actioncable/test/connection/cross_site_forgery_test.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'actioncable/test/connection')

diff --git a/actioncable/test/connection/cross_site_forgery_test.rb b/actioncable/test/connection/cross_site_forgery_test.rb
index 3bc59c9db9..6cabff5440 100644
--- a/actioncable/test/connection/cross_site_forgery_test.rb
+++ b/actioncable/test/connection/cross_site_forgery_test.rb
@@ -18,6 +18,7 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
   teardown do
     @server.config.disable_request_forgery_protection = false
     @server.config.allowed_request_origins = []
+    @server.config.allow_same_origin_as_host = false
   end
 
   test "disable forgery protection" do
@@ -53,6 +54,13 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
     assert_origin_not_allowed "http://rails.co.uk"
   end
 
+  test "allow same origin as host" do
+    @server.config.allow_same_origin_as_host = true
+    assert_origin_allowed "http://#{HOST}"
+    assert_origin_not_allowed "http://hax.com"
+    assert_origin_not_allowed "http://rails.co.uk"
+  end
+
   private
     def assert_origin_allowed(origin)
       response = connect_with_origin origin
-- 
cgit v1.2.3