WebSocket always defers the decision to the server, because it didn't
have to deal with legacy compatibility... but the same-origin policy is
still a reasonable default.
Origin checks do not protect against a directly connecting attacker --
they can lie about their host, but can also lie about their origin.
Origin checks protect against a connection from 3rd-party controlled
script in a context where a victim browser's cookies will be passed
along. And if an attacker has breached that protection, they've already
compromised the HTTP session, so treating the WebSocket connection in
the same way seems reasonable.
In case this logic proves incorrect (or anyone just wants to be more
paranoid), we retain a config option to disable it.
When the `allow_same_origin_as_host` is set to `true`, the request
forgery protection permits `HTTP_ORIGIN` values starting with the
corresponding `proto://` prefix followed by `HTTP_HOST`. This way
it is not required to specify the list of allowed URLs.
Whack it down from 100 to 4.
Large worker pools means large db connection counts. We aren't set up
for that by default and most apps won't need it out of the box.
We're better off tuning the default worker pool for low traffic, low
resource consumption apps. Those who have higher traffic will scale up
to meet demand.
This PR checks all active Action Cable documentation for typos and other
fixes. It aims to make sure that when Rails 5 is released, that the
Action Cable docs are up to snuff with the other documentation included
with Rails.
[ci skip]
Instead of depending on ApplicationCable::Connection being defined at initialize
we should inject it in the Railtie.
Thus we can kill more setup in the tests too.
We were explicitly referencing Rails.root in ActionCable::Server::Configuration.initialize,
thereby coupling ourselves to Rails.
Instead add `app/channels` to Rails' app paths and assign the existent files
to `channel_paths`.
Users can still append to those load paths with `<<` and `push` in `config/application.rb`.
This means we can remove the custom `Dir` lookup in `channel_paths` and the Rails
and root definitions in the tests.
Logging Action Cable to STDOUT caused the development log to see double
messages like this:
```
Started GET "/" for ::1 at 2015-12-17 15:21:34 -0500
Started GET "/" for ::1 at 2015-12-17 15:21:34 -0500
Processing by Rails::WelcomeController#index as HTML
Processing by Rails::WelcomeController#index as HTML
Rendered /welcome/index.html.erb (0.0ms)
Rendered /welcome/index.html.erb (0.0ms)
Completed 200 OK in 3ms (Views: 1.3ms | ActiveRecord: 0.0ms)
Completed 200 OK in 3ms (Views: 1.3ms | ActiveRecord: 0.0ms)
```
Now that Action Cable is part of Rails it doesn't need it's own logger
and will log to STDOUT via the local dev server here:
https://github.com/rails/rails/blob/master/railties/lib/rails/commands/server.rb
