diff --git a/app/controllers/concerns/request_forgery_protection.rb b/app/controllers/concerns/request_forgery_protection.rb index fdff7ba8f..acfc4dbf1 100644 --- a/app/controllers/concerns/request_forgery_protection.rb +++ b/app/controllers/concerns/request_forgery_protection.rb @@ -7,14 +7,10 @@ module RequestForgeryProtection private def verified_via_header_only? - super || allowed_api_request? || allowed_insecure_context_request? + super || allowed_api_request? end def allowed_api_request? sec_fetch_site_value.nil? && request.format.json? end - - def allowed_insecure_context_request? - sec_fetch_site_value.nil? && !request.ssl? && !Rails.configuration.force_ssl - end end diff --git a/test/controllers/concerns/request_forgery_protection_test.rb b/test/controllers/concerns/request_forgery_protection_test.rb index db1a84e63..9f50e353e 100644 --- a/test/controllers/concerns/request_forgery_protection_test.rb +++ b/test/controllers/concerns/request_forgery_protection_test.rb @@ -8,11 +8,13 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest ActionController::Base.allow_forgery_protection = true @original_force_ssl = Rails.configuration.force_ssl + @original_secure_protocol = ActionDispatch::Http::URL.secure_protocol end teardown do ActionController::Base.allow_forgery_protection = @original_allow_forgery_protection Rails.configuration.force_ssl = @original_force_ssl + ActionDispatch::Http::URL.secure_protocol = @original_secure_protocol end test "JSON request succeeds with missing Sec-Fetch-Site header" do @@ -38,6 +40,7 @@ class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest test "HTTP request fails with missing Sec-Fetch-Site header when force_ssl is enabled" do Rails.configuration.force_ssl = true + ActionDispatch::Http::URL.secure_protocol = true assert_no_difference -> { Board.count } do post boards_path,