Currently when the *disable_request_forgery_protection* is set to *true*,
you need to specify the list of allowed origins.
This can be quite problematic if the application is available using
multiple addresses or it is massively deployed for various customers.
My idea is to have an optional *allow_same_origin_as_host* that will allow
any origin beginning with the current HTTP_HOST.
proto = Rack::Request.new(env).ssl? ? 'https' : 'http'
env['HTTP_ORIGIN'].start_with?("#{proto}://#{env['HTTP_HOST']}/")
I'm not a security expert and it is possible that this is completely
unsafe, but I haven't found any other solution without specifying the list
of all allowed origins.
I have a PR prepared with tests and it works well in our application...
David
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
