Files
fizzy/app/controllers/concerns/request_forgery_protection.rb
T
Rosa Gutierrez 5f390f72df Support local installations where the app is loaded over HTTP
In this case requests won't be performed from a secure context [1] and
the browser won't send the Sec-Fetch-Site header. This means non-GET
requests will be rejected because CSRF protection will fail.

With this change, we allow these requests with missing Sec-Fetch-Site
headers if:
- They happen over HTTP
- The app is not configured to force SSL

The Origin check happens in any case.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
2026-01-05 18:50:14 +01:00

21 lines
506 B
Ruby

module RequestForgeryProtection
extend ActiveSupport::Concern
included do
protect_from_forgery using: :header_only, with: :exception
end
private
def verified_via_header_only?
super || allowed_api_request? || allowed_insecure_context_request?
end
def allowed_api_request?
sec_fetch_site_value.nil? && request.format.json?
end
def allowed_insecure_context_request?
sec_fetch_site_value.nil? && !request.ssl? && !Rails.configuration.force_ssl
end
end