mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
dae4044734
WebSocket always defers the decision to the server, because it didn't have to deal with legacy compatibility... but the same-origin policy is still a reasonable default. Origin checks do not protect against a directly connecting attacker -- they can lie about their host, but can also lie about their origin. Origin checks protect against a connection from 3rd-party controlled script in a context where a victim browser's cookies will be passed along. And if an attacker has breached that protection, they've already compromised the HTTP session, so treating the WebSocket connection in the same way seems reasonable. In case this logic proves incorrect (or anyone just wants to be more paranoid), we retain a config option to disable it.
41 lines
1.8 KiB
Ruby
41 lines
1.8 KiB
Ruby
module ActionCable
|
|
module Server
|
|
# An instance of this configuration object is available via ActionCable.server.config, which allows you to tweak Action Cable configuration
|
|
# in a Rails config initializer.
|
|
class Configuration
|
|
attr_accessor :logger, :log_tags
|
|
attr_accessor :connection_class, :worker_pool_size
|
|
attr_accessor :disable_request_forgery_protection, :allowed_request_origins, :allow_same_origin_as_host
|
|
attr_accessor :cable, :url, :mount_path
|
|
|
|
def initialize
|
|
@log_tags = []
|
|
|
|
@connection_class = -> { ActionCable::Connection::Base }
|
|
@worker_pool_size = 4
|
|
|
|
@disable_request_forgery_protection = false
|
|
@allow_same_origin_as_host = true
|
|
end
|
|
|
|
# Returns constant of subscription adapter specified in config/cable.yml.
|
|
# If the adapter cannot be found, this will default to the Redis adapter.
|
|
# Also makes sure proper dependencies are required.
|
|
def pubsub_adapter
|
|
adapter = (cable.fetch("adapter") { "redis" })
|
|
path_to_adapter = "action_cable/subscription_adapter/#{adapter}"
|
|
begin
|
|
require path_to_adapter
|
|
rescue Gem::LoadError => e
|
|
raise Gem::LoadError, "Specified '#{adapter}' for Action Cable pubsub adapter, but the gem is not loaded. Add `gem '#{e.name}'` to your Gemfile (and ensure its version is at the minimum required by Action Cable)."
|
|
rescue LoadError => e
|
|
raise LoadError, "Could not load '#{path_to_adapter}'. Make sure that the adapter in config/cable.yml is valid. If you use an adapter other than 'postgresql' or 'redis' add the necessary adapter gem to the Gemfile.", e.backtrace
|
|
end
|
|
|
|
adapter = adapter.camelize
|
|
adapter = "PostgreSQL" if adapter == "Postgresql"
|
|
"ActionCable::SubscriptionAdapter::#{adapter}".constantize
|
|
end
|
|
end
|
|
end
|
|
end
|