Files
fizzy/app/controllers/concerns/request_forgery_protection.rb
T
Mike Dalessio 41675224d0 Remove redundant insecure context CSRF check
Rails now handles the insecure context case natively in
verified_via_header_only? — when Sec-Fetch-Site is missing and the
request is plain HTTP without force_ssl, the request is allowed.

Remove the now-redundant allowed_insecure_context_request? method and
update the test to set ActionDispatch::Http::URL.secure_protocol
alongside Rails.configuration.force_ssl so the upstream check works
correctly in the test environment.
2026-02-18 14:06:46 -05:00

17 lines
335 B
Ruby

module RequestForgeryProtection
extend ActiveSupport::Concern
included do
protect_from_forgery using: :header_only, with: :exception
end
private
def verified_via_header_only?
super || allowed_api_request?
end
def allowed_api_request?
sec_fetch_site_value.nil? && request.format.json?
end
end