gem.sh

lib/rack/protection/json_csrf.rb

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   CSRF
    # Supported browsers:: all
    # More infos::         http://flask.pocoo.org/docs/security/#json-security
    #
    # JSON GET APIs are volnurable to being embedded as JavaScript while the
    # Array prototype has been patched to track data. Checks the referrer
    # even on GET requests if the content type is JSON.
    class JsonCsrf < Base
      default_reaction :deny

      def call(env)
        status, headers, body = app.call(env)
        if headers['Content-Type'].to_s.split(';', 2).first.strip == 'application/json'
          result = react(env) if referrer(env) != Request.new(env).host
        end
        result or [status, headers, body]
      end
    end
  end
end

Source Files

lib/rack-protection.rb
lib/rack/protection.rb
lib/rack/protection/authenticity_token.rb
lib/rack/protection/base.rb
lib/rack/protection/escaped_params.rb
lib/rack/protection/form_token.rb
lib/rack/protection/frame_options.rb
lib/rack/protection/ip_spoofing.rb
lib/rack/protection/json_csrf.rb
lib/rack/protection/path_traversal.rb
lib/rack/protection/remote_referrer.rb
lib/rack/protection/remote_token.rb
lib/rack/protection/session_hijacking.rb
lib/rack/protection/version.rb
lib/rack/protection/xss_header.rb

Modules

Classes

lib/rack/protection/json_csrf.rb

Source Files