From ecab8314eba8519bd593cbc097ef60ee0c285cf2 Mon Sep 17 00:00:00 2001
From: Pratik Naik <pratiknaik@gmail.com>
Date: Mon, 12 Oct 2015 18:14:14 -0500
Subject: Treat ORIGIN as an opaque identifier and do equality comparison with
 the specified whitelist

---
 lib/action_cable/connection/base.rb | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

(limited to 'lib/action_cable/connection/base.rb')

diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb
index 5bf7086b60..f7c5f050d8 100644
--- a/lib/action_cable/connection/base.rb
+++ b/lib/action_cable/connection/base.rb
@@ -168,23 +168,12 @@ module ActionCable
         def allow_request_origin?
           return true if server.config.disable_request_forgery_protection
 
-          if env['HTTP_ORIGIN'].present?
-            origin_host = URI.parse(env['HTTP_ORIGIN']).host
-
-            allowed = if server.config.allowed_request_origins.present?
-              Array(server.config.allowed_request_origins).include? origin_host
-            else
-              request.host == origin_host
-            end
-
-            logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") unless allowed
-            allowed
+          if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN']
+            true
           else
-            logger.error("Request origin missing.")
+            logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
             false
           end
-        rescue URI::InvalidURIError
-          false
         end
 
         def respond_to_successful_request
-- 
cgit v1.2.3