sinatra/rack-protection/lib/rack/protection/remote_token.rb

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   CSRF
    # Supported browsers:: all
    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
    #
    # Only accepts unsafe HTTP requests if a given access token matches the token
    # included in the session *or* the request comes from the same origin.
    #
    # Compatible with rack-csrf.
    class RemoteToken < AuthenticityToken
      default_reaction :deny

      def accepts?(env)
        super or referrer(env) == Request.new(env).host
      end
    end
  end
end
initial commit 2011-05-23 08:07:54 +00:00			`require 'rack/protection'`

			`module Rack`
			`module Protection`
add docs to all middleware 2011-05-24 11:23:57 +00:00			`##`
			`# Prevented attack:: CSRF`
			`# Supported browsers:: all`
			`# More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery`
			`#`
			`# Only accepts unsafe HTTP requests if a given access token matches the token`
			`# included in the session or the request comes from the same origin.`
			`#`
Make authenticity token length a fixed value of 32 Rack::Protection::AuthenticityToken.token(session) can now make sure that an authenticity token is set in the session before returning a masked version of the token. Any Rack app that shares the session can use this method when building a form for an app that uses rack-protection. Removes references to Rails compatibility as rack-protection 2.0 officially breaks that promise. 2016-09-18 04:52:25 +00:00			`# Compatible with rack-csrf.`
initial commit 2011-05-23 08:07:54 +00:00			`class RemoteToken < AuthenticityToken`
move stuff around, add remote_token protection 2011-05-29 09:45:27 +00:00			`default_reaction :deny`

			`def accepts?(env)`
			`super or referrer(env) == Request.new(env).host`
			`end`
initial commit 2011-05-23 08:07:54 +00:00			`end`
			`end`
			`end`