5f390f72df
In this case requests won't be performed from a secure context [1] and the browser won't send the Sec-Fetch-Site header. This means non-GET requests will be rejected because CSRF protection will fail. With this change, we allow these requests with missing Sec-Fetch-Site headers if: - They happen over HTTP - The app is not configured to force SSL The Origin check happens in any case. [1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
62 lines
1.7 KiB
Ruby
62 lines
1.7 KiB
Ruby
require "test_helper"
|
|
|
|
class RequestForgeryProtectionTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
sign_in_as :kevin
|
|
|
|
@original_allow_forgery_protection = ActionController::Base.allow_forgery_protection
|
|
ActionController::Base.allow_forgery_protection = true
|
|
|
|
@original_force_ssl = Rails.configuration.force_ssl
|
|
end
|
|
|
|
teardown do
|
|
ActionController::Base.allow_forgery_protection = @original_allow_forgery_protection
|
|
Rails.configuration.force_ssl = @original_force_ssl
|
|
end
|
|
|
|
test "JSON request succeeds with missing Sec-Fetch-Site header" do
|
|
assert_difference -> { Board.count }, +1 do
|
|
post boards_path,
|
|
params: { board: { name: "Test Board" } },
|
|
as: :json
|
|
end
|
|
|
|
assert_response :created
|
|
end
|
|
|
|
test "HTTP request succeeds with missing Sec-Fetch-Site header when force_ssl is disabled" do
|
|
Rails.configuration.force_ssl = false
|
|
|
|
assert_difference -> { Board.count }, +1 do
|
|
post boards_path,
|
|
params: { board: { name: "Test Board" } }
|
|
end
|
|
|
|
assert_response :redirect
|
|
end
|
|
|
|
test "HTTP request fails with missing Sec-Fetch-Site header when force_ssl is enabled" do
|
|
Rails.configuration.force_ssl = true
|
|
|
|
assert_no_difference -> { Board.count } do
|
|
post boards_path,
|
|
params: { board: { name: "Test Board" } }
|
|
end
|
|
|
|
assert_response :unprocessable_entity
|
|
end
|
|
|
|
test "HTTPS request fails with missing Sec-Fetch-Site header" do
|
|
Rails.configuration.force_ssl = false
|
|
|
|
assert_no_difference -> { Board.count } do
|
|
post boards_path,
|
|
params: { board: { name: "Test Board" } },
|
|
headers: { "X-Forwarded-Proto" => "https" }
|
|
end
|
|
|
|
assert_response :unprocessable_entity
|
|
end
|
|
end
|