class Rack::Protection::HttpOrigin
- The ‘:allow_if` option can also be set to a proc to use custom allow/deny logic.
use Rack::Protection, origin_whitelist: [“localhost:3000”, “127.0.01:3000”]
If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
does not match default or whitelisted URIs.
Does not accept unsafe HTTP requests when value of Origin HTTP request header
More infos - en.wikipedia.org/wiki/Cross-site_request_forgery<br>Supported browsers
- Google Chrome 2, Safari 4 and later
Prevented attack -
CSRF
#
- Google Chrome 2, Safari 4 and later
def accepts?(env)
def accepts?(env) return true if safe? env return true unless origin = env['HTTP_ORIGIN'] return true if base_url(env) == origin return true if options[:allow_if] && options[:allow_if].call(env) Array(options[:origin_whitelist]).include? origin end
def base_url(env)
def base_url(env) request = Rack::Request.new(env) port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme] "#{request.scheme}://#{request.host}#{port}" end