41675224d0
Rails now handles the insecure context case natively in verified_via_header_only? — when Sec-Fetch-Site is missing and the request is plain HTTP without force_ssl, the request is allowed. Remove the now-redundant allowed_insecure_context_request? method and update the test to set ActionDispatch::Http::URL.secure_protocol alongside Rails.configuration.force_ssl so the upstream check works correctly in the test environment.
17 lines
335 B
Ruby
17 lines
335 B
Ruby
module RequestForgeryProtection
|
|
extend ActiveSupport::Concern
|
|
|
|
included do
|
|
protect_from_forgery using: :header_only, with: :exception
|
|
end
|
|
|
|
private
|
|
def verified_via_header_only?
|
|
super || allowed_api_request?
|
|
end
|
|
|
|
def allowed_api_request?
|
|
sec_fetch_site_value.nil? && request.format.json?
|
|
end
|
|
end
|