Merge pull request #26568 from skateman/cable-sameorigin-as-host
Optionally allow ActionCable requests from the same host as origin
This commit is contained in:
commit
f8c53eff7b
@ -340,6 +340,11 @@ To disable and allow requests from any origin:
|
||||
Rails.application.config.action_cable.disable_request_forgery_protection = true
|
||||
```
|
||||
|
||||
It is also possible to allow origins that are starting with the actual HTTP HOST header:
|
||||
```ruby
|
||||
Rails.application.config.action_cable.allow_same_origin_as_host = true
|
||||
```
|
||||
|
||||
### Consumer Configuration
|
||||
|
||||
Once you have decided how to run your cable server (see below), you must provide the server URL (or path) to your client-side setup.
|
||||
|
@ -195,8 +195,11 @@ def send_welcome_message
|
||||
def allow_request_origin?
|
||||
return true if server.config.disable_request_forgery_protection
|
||||
|
||||
proto = Rack::Request.new(env).ssl? ? "https" : "http"
|
||||
if Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env["HTTP_ORIGIN"] }
|
||||
true
|
||||
elsif server.config.allow_same_origin_as_host && env["HTTP_ORIGIN"] == "#{proto}://#{env['HTTP_HOST']}"
|
||||
true
|
||||
else
|
||||
logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")
|
||||
false
|
||||
|
@ -5,7 +5,7 @@ module Server
|
||||
class Configuration
|
||||
attr_accessor :logger, :log_tags
|
||||
attr_accessor :connection_class, :worker_pool_size
|
||||
attr_accessor :disable_request_forgery_protection, :allowed_request_origins
|
||||
attr_accessor :disable_request_forgery_protection, :allowed_request_origins, :allow_same_origin_as_host
|
||||
attr_accessor :cable, :url, :mount_path
|
||||
|
||||
def initialize
|
||||
@ -15,6 +15,7 @@ def initialize
|
||||
@worker_pool_size = 4
|
||||
|
||||
@disable_request_forgery_protection = false
|
||||
@allow_same_origin_as_host = false
|
||||
end
|
||||
|
||||
# Returns constant of subscription adapter specified in config/cable.yml.
|
||||
|
@ -18,6 +18,7 @@ def send_async(method, *args)
|
||||
teardown do
|
||||
@server.config.disable_request_forgery_protection = false
|
||||
@server.config.allowed_request_origins = []
|
||||
@server.config.allow_same_origin_as_host = false
|
||||
end
|
||||
|
||||
test "disable forgery protection" do
|
||||
@ -53,6 +54,13 @@ def send_async(method, *args)
|
||||
assert_origin_not_allowed "http://rails.co.uk"
|
||||
end
|
||||
|
||||
test "allow same origin as host" do
|
||||
@server.config.allow_same_origin_as_host = true
|
||||
assert_origin_allowed "http://#{HOST}"
|
||||
assert_origin_not_allowed "http://hax.com"
|
||||
assert_origin_not_allowed "http://rails.co.uk"
|
||||
end
|
||||
|
||||
private
|
||||
def assert_origin_allowed(origin)
|
||||
response = connect_with_origin origin
|
||||
|
Loading…
Reference in New Issue
Block a user