5f390f72df
In this case requests won't be performed from a secure context [1] and the browser won't send the Sec-Fetch-Site header. This means non-GET requests will be rejected because CSRF protection will fail. With this change, we allow these requests with missing Sec-Fetch-Site headers if: - They happen over HTTP - The app is not configured to force SSL The Origin check happens in any case. [1] https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts#potentially_trustworthy_origins
21 lines
506 B
Ruby
21 lines
506 B
Ruby
module RequestForgeryProtection
|
|
extend ActiveSupport::Concern
|
|
|
|
included do
|
|
protect_from_forgery using: :header_only, with: :exception
|
|
end
|
|
|
|
private
|
|
def verified_via_header_only?
|
|
super || allowed_api_request? || allowed_insecure_context_request?
|
|
end
|
|
|
|
def allowed_api_request?
|
|
sec_fetch_site_value.nil? && request.format.json?
|
|
end
|
|
|
|
def allowed_insecure_context_request?
|
|
sec_fetch_site_value.nil? && !request.ssl? && !Rails.configuration.force_ssl
|
|
end
|
|
end
|