module Roda::RodaPlugins::SecFetchSiteCsrf::InstanceMethods

def check_sec_fetch_site!(&block)

handle it.
if a block is not given, use the plugin :csrf_failure option to determine how to
Otherwise, if a block is given, treat it as a routing block and yield to it, and
If the header is valid or the request does not require the header, return nil.
Check that the Sec-Fetch-Site header is valid, if the request requires it.

def check_sec_fetch_site!(&block)
  plugin_opts = self.class.opts[:sec_fetch_site_csrf]
  return unless plugin_opts[:check_request_methods].include?(request.request_method)
  sec_fetch_site = env["HTTP_SEC_FETCH_SITE"]
  return if plugin_opts[:allowed_values].include?(sec_fetch_site)
  @_request.on(&block) if block
  
  case failure_action = plugin_opts[:csrf_failure]
  when :raise
    raise CsrfFailure, "potential cross-site request, Sec-Fetch-Site value: #{sec_fetch_site.inspect}"
  when :empty_403
    @_response.status = 403
    headers = @_response.headers
    headers.clear
    headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html'
    headers[RodaResponseHeaders::CONTENT_LENGTH] ='0'
    throw :halt, @_response.finish_with_body([])
  when :clear_session
    session.clear
  else # when :method
    @_request.on{_roda_sec_fetch_site_csrf_failure(@_request)}
  end
end

Instance Methods

# check_sec_fetch_site!

Defined in

lib/roda/plugins/sec_fetch_site_csrf.rb

Modules

Classes

module Roda::RodaPlugins::SecFetchSiteCsrf::InstanceMethods

def check_sec_fetch_site!(&block)

Instance Methods

Defined in