class Rack::Protection::JsonCsrf

The ‘:allow_if` option can be set to a proc to use custom allow/deny logic. if the request is safe. Please refer to the documentation for more info. If request includes Origin HTTP header, defers to HttpOrigin to determine even on GET requests if the content type is JSON. Array prototype has been patched to track data. Checks the referrer JSON GET APIs are vulnerable to being embedded as JavaScript when the More infos

flask.pocoo.org/docs/0.10/security/#json-security<br>Supported browsers

all Prevented attack: CSRF
#

def call(env)

def call(env)
  request               = Request.new(env)
  status, headers, body = app.call(env)
  if has_vector?(request, headers)
    warn env, "attack prevented by #{self.class}"
    react_and_close(env, body) or [status, headers, body]
  else
    [status, headers, body]
  end
end

def close_body(body)

def close_body(body)
  body.close if body.respond_to?(:close)
end

def has_vector?(request, headers)

def has_vector?(request, headers)
  return false if request.xhr?
  return false if options[:allow_if] && options[:allow_if].call(request.env)
  return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
  origin(request.env).nil? and referrer(request.env) != request.host
end

def react_and_close(env, body)

def react_and_close(env, body)
  reaction = react(env)
  close_body(body) if reaction
  reaction
end

Namespace

Rack::Protection

Parent class

Rack::Protection::Base

Instance Methods

Defined in

lib/rack/protection/json_csrf.rb

Modules

Classes