2011-05-23 08:07:54 +00:00
|
|
|
require 'rack/protection'
|
|
|
|
|
|
|
|
module Rack
|
|
|
|
module Protection
|
2011-05-24 11:23:57 +00:00
|
|
|
##
|
|
|
|
# Prevented attack:: CSRF
|
|
|
|
# Supported browsers:: all
|
|
|
|
# More infos:: http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
|
|
|
#
|
|
|
|
# Does not accept unsafe HTTP requests if the Referer [sic] header is set to
|
|
|
|
# a different host.
|
2011-05-23 08:07:54 +00:00
|
|
|
class RemoteReferrer < Base
|
2011-05-29 09:45:27 +00:00
|
|
|
default_reaction :deny
|
|
|
|
|
|
|
|
def accepts?(env)
|
|
|
|
safe?(env) or referrer(env) == Request.new(env).host
|
|
|
|
end
|
2011-05-23 08:07:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|