diff --git a/lib/action_cable/connection/base.rb b/lib/action_cable/connection/base.rb index 5bf7086b60..f7c5f050d8 100644 --- a/lib/action_cable/connection/base.rb +++ b/lib/action_cable/connection/base.rb @@ -168,23 +168,12 @@ module ActionCable def allow_request_origin? return true if server.config.disable_request_forgery_protection - if env['HTTP_ORIGIN'].present? - origin_host = URI.parse(env['HTTP_ORIGIN']).host - - allowed = if server.config.allowed_request_origins.present? - Array(server.config.allowed_request_origins).include? origin_host - else - request.host == origin_host - end - - logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") unless allowed - allowed + if Array(server.config.allowed_request_origins).include? env['HTTP_ORIGIN'] + true else - logger.error("Request origin missing.") + logger.error("Request origin not allowed: #{env['HTTP_ORIGIN']}") false end - rescue URI::InvalidURIError - false end def respond_to_successful_request diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb index 6c8bacde9a..bc8b5ba568 100644 --- a/test/connection/base_test.rb +++ b/test/connection/base_test.rb @@ -16,9 +16,10 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase setup do @server = TestServer.new + @server.config.allowed_request_origins = %w( http://rubyonrails.com ) env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', - 'SERVER_NAME' => 'rubyonrails.com', 'HTTP_ORIGIN' => 'http://rubyonrails.com' + 'HTTP_ORIGIN' => 'http://rubyonrails.com' @connection = Connection.new(@server, env) @response = @connection.process diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb index b904dbd8b6..6073f89287 100644 --- a/test/connection/cross_site_forgery_test.rb +++ b/test/connection/cross_site_forgery_test.rb @@ -6,11 +6,12 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase setup do @server = TestServer.new + @server.config.allowed_request_origins = %w( http://rubyonrails.com ) end - test "default cross site forgery protection only allows origin same as the server host" do - assert_origin_allowed 'http://rubyonrails.com' - assert_origin_not_allowed 'http://hax.com' + teardown do + @server.config.disable_request_forgery_protection = false + @server.config.allowed_request_origins = [] end test "disable forgery protection" do @@ -20,16 +21,15 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase end test "explicitly specified a single allowed origin" do - @server.config.allowed_request_origins = 'hax.com' + @server.config.allowed_request_origins = 'http://hax.com' assert_origin_not_allowed 'http://rubyonrails.com' assert_origin_allowed 'http://hax.com' end test "explicitly specified multiple allowed origins" do - @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com ) + @server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com ) assert_origin_allowed 'http://rubyonrails.com' assert_origin_allowed 'http://www.rubyonrails.com' - assert_origin_allowed 'https://www.rubyonrails.com' assert_origin_not_allowed 'http://hax.com' end