class Rack::Protection::HttpOrigin

The ‘:allow_if` option can also be set to a proc to use custom allow/deny logic. use Rack::Protection, permitted_origins: [“localhost:3000”, “127.0.01:3000”] If you want to permit a specific domain, you can pass in as the `:permitted_origins` option: does not match default or permitted URIs. Does not accept unsafe HTTP requests when value of Origin HTTP request header More infos

en.wikipedia.org/wiki/Cross-site_request_forgery<br>Supported browsers

Google Chrome 2, Safari 4 and later Prevented attack: CSRF
#

def accepts?(env)

def accepts?(env)
  return true if safe? env
  return true unless (origin = env['HTTP_ORIGIN'])
  return true if base_url(env) == origin
  return true if options[:allow_if]&.call(env)
  permitted_origins = options[:permitted_origins]
  Array(permitted_origins).include? origin
end

def base_url(env)

def base_url(env)
  request = Rack::Request.new(env)
  port = ":#{request.port}" unless request.port == DEFAULT_PORTS[request.scheme]
  "#{request.scheme}://#{request.host}#{port}"
end

Namespace

Rack::Protection

Parent class

Rack::Protection::Base

Instance Methods

Defined in

lib/rack/protection/http_origin.rb

Modules

Classes