KingChan
/
actioncabl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #130 from adamliesko/allow_regexps_allowed_origins 

Allow regexp for a allowed_request_origins array
This commit is contained in:
David Heinemeier Hansson 2015-12-13 14:24:28 +01:00
parent c362beab2e 1c6fb5e397
commit 5fec4b96ff
3 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -304,10 +304,10 @@ ActionCable.server.config.redis_path = Rails.root('somewhere/else/cable.yml')
### Allowed Request Origins
Action Cable will only accepting requests from specified origins, which are passed to the server config as an array:
Action Cable will only accept requests from specified origins, which are passed to the server config as an array. The origins can be instances of strings or regular expressions, against which a check for match will be performed.
```ruby
ActionCable.server.config.allowed_request_origins = %w( http://rubyonrails.com )
ActionCable.server.config.allowed_request_origins = ['http://rubyonrails.com', /http:\/\/ruby.*/]
```
To disable and allow requests from any origin:
@ -437,4 +437,4 @@ Action Cable is released under the MIT license:
Bug reports can be filed for the alpha development project here:
* https://github.com/rails/actioncable/issues
* https://github.com/rails/actioncable/issues

2
lib/action_cable/connection/base.rb
View File

@ -172,7 +172,7 @@ module ActionCable
def allow_request_origin?
return true if server.config.disable_request_forgery_protection
if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN']
if Array(server.config.allowed_request_origins).any? { |allowed_origin| allowed_origin === env['HTTP_ORIGIN'] }
true
else
logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}")

14
test/connection/cross_site_forgery_test.rb
View File

@ -40,6 +40,20 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
assert_origin_not_allowed 'http://hax.com'
end
test "explicitly specified a single regexp allowed origin" do
@server.config.allowed_request_origins = /.*ha.*/
assert_origin_not_allowed 'http://rubyonrails.com'
assert_origin_allowed 'http://hax.com'
end
test "explicitly specified multiple regexp allowed origins" do
@server.config.allowed_request_origins = [/http:\/\/ruby.*/, /.*rai.s.*com/, 'string' ]
assert_origin_allowed 'http://rubyonrails.com'
assert_origin_allowed 'http://www.rubyonrails.com'
assert_origin_not_allowed 'http://hax.com'
assert_origin_not_allowed 'http://rails.co.uk'
end
private
def assert_origin_allowed(origin)
response = connect_with_origin origin