From 268c340b0909bd78259e58b1ed0b53133d924199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20Hal=C3=A1sz?= Date: Wed, 21 Sep 2016 14:55:25 +0200 Subject: [PATCH] Optionally allow ActionCable requests from the same host as origin When the `allow_same_origin_as_host` is set to `true`, the request forgery protection permits `HTTP_ORIGIN` values starting with the corresponding `proto://` prefix followed by `HTTP_HOST`. This way it is not required to specify the list of allowed URLs. --- actioncable/README.md | 5 +++++ actioncable/lib/action_cable/connection/base.rb | 3 +++ actioncable/lib/action_cable/server/configuration.rb | 3 ++- actioncable/test/connection/cross_site_forgery_test.rb | 8 ++++++++ 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/actioncable/README.md b/actioncable/README.md index 28e2602cbf..28a5d303fe 100644 --- a/actioncable/README.md +++ b/actioncable/README.md @@ -340,6 +340,11 @@ To disable and allow requests from any origin: Rails.application.config.action_cable.disable_request_forgery_protection = true ``` +It is also possible to allow origins that are starting with the actual HTTP HOST header: +```ruby +Rails.application.config.action_cable.allow_same_origin_as_host = true +``` + ### Consumer Configuration Once you have decided how to run your cable server (see below), you must provide the server URL (or path) to your client-side setup. diff --git a/actioncable/lib/action_cable/connection/base.rb b/actioncable/lib/action_cable/connection/base.rb index 4c7fcc1434..76706a7465 100644 --- a/actioncable/lib/action_cable/connection/base.rb +++ b/actioncable/lib/action_cable/connection/base.rb @@ -195,8 +195,11 @@ def send_welcome_message def allow_request_origin? return true if server.config.disable_request_forgery_protection + proto = Rack::Request.new(env).ssl? ? "https" : "http" if Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env["HTTP_ORIGIN"] } true + elsif server.config.allow_same_origin_as_host && env["HTTP_ORIGIN"] == "#{proto}://#{env['HTTP_HOST']}" + true else logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") false diff --git a/actioncable/lib/action_cable/server/configuration.rb b/actioncable/lib/action_cable/server/configuration.rb index 7153593d4c..4286fe5f0d 100644 --- a/actioncable/lib/action_cable/server/configuration.rb +++ b/actioncable/lib/action_cable/server/configuration.rb @@ -5,7 +5,7 @@ module Server class Configuration attr_accessor :logger, :log_tags attr_accessor :use_faye, :connection_class, :worker_pool_size - attr_accessor :disable_request_forgery_protection, :allowed_request_origins + attr_accessor :disable_request_forgery_protection, :allowed_request_origins, :allow_same_origin_as_host attr_accessor :cable, :url, :mount_path def initialize @@ -15,6 +15,7 @@ def initialize @worker_pool_size = 4 @disable_request_forgery_protection = false + @allow_same_origin_as_host = false end # Returns constant of subscription adapter specified in config/cable.yml. diff --git a/actioncable/test/connection/cross_site_forgery_test.rb b/actioncable/test/connection/cross_site_forgery_test.rb index 3bc59c9db9..6cabff5440 100644 --- a/actioncable/test/connection/cross_site_forgery_test.rb +++ b/actioncable/test/connection/cross_site_forgery_test.rb @@ -18,6 +18,7 @@ def send_async(method, *args) teardown do @server.config.disable_request_forgery_protection = false @server.config.allowed_request_origins = [] + @server.config.allow_same_origin_as_host = false end test "disable forgery protection" do @@ -53,6 +54,13 @@ def send_async(method, *args) assert_origin_not_allowed "http://rails.co.uk" end + test "allow same origin as host" do + @server.config.allow_same_origin_as_host = true + assert_origin_allowed "http://#{HOST}" + assert_origin_not_allowed "http://hax.com" + assert_origin_not_allowed "http://rails.co.uk" + end + private def assert_origin_allowed(origin) response = connect_with_origin origin