Remove redundant insecure context CSRF check

Rails now handles the insecure context case natively in
verified_via_header_only? — when Sec-Fetch-Site is missing and the
request is plain HTTP without force_ssl, the request is allowed.

Remove the now-redundant allowed_insecure_context_request? method and
update the test to set ActionDispatch::Http::URL.secure_protocol
alongside Rails.configuration.force_ssl so the upstream check works
correctly in the test environment.
This commit is contained in:
Mike Dalessio
2026-02-18 14:06:46 -05:00
parent 41c2bd38af
commit 41675224d0
2 changed files with 4 additions and 5 deletions
@@ -7,14 +7,10 @@ module RequestForgeryProtection
private
def verified_via_header_only?
super || allowed_api_request? || allowed_insecure_context_request?
super || allowed_api_request?
end
def allowed_api_request?
sec_fetch_site_value.nil? && request.format.json?
end
def allowed_insecure_context_request?
sec_fetch_site_value.nil? && !request.ssl? && !Rails.configuration.force_ssl
end
end
@@ -8,11 +8,13 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest
ActionController::Base.allow_forgery_protection = true
@original_force_ssl = Rails.configuration.force_ssl
@original_secure_protocol = ActionDispatch::Http::URL.secure_protocol
end
teardown do
ActionController::Base.allow_forgery_protection = @original_allow_forgery_protection
Rails.configuration.force_ssl = @original_force_ssl
ActionDispatch::Http::URL.secure_protocol = @original_secure_protocol
end
test "JSON request succeeds with missing Sec-Fetch-Site header" do
@@ -38,6 +40,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest
test "HTTP request fails with missing Sec-Fetch-Site header when force_ssl is enabled" do
Rails.configuration.force_ssl = true
ActionDispatch::Http::URL.secure_protocol = true
assert_no_difference -> { Board.count } do
post boards_path,