xhr requests cannot be used for the json attack, fixes #39

rack-protection/lib/rack/protection/json_csrf.rb

@@ -14,14 +14,21 @@ module Rack
       default_reaction :deny
 
       def call(env)
+        request               = Request.new(env)
         status, headers, body = app.call(env)
-        if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+
-          if origin(env).nil? and referrer(env) != Request.new(env).host
+        if has_vector? request, headers
-            result = react(env)
+          warn env, "attack prevented by #{self.class}"
-            warn env, "attack prevented by #{self.class}"
+          react(env)
-          end
+        else
+          [status, headers, body]
         end
-        result or [status, headers, body]
+      end
+
+      def has_vector?(request, headers)
+        return false if request.xhr?
+        return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
+        origin(request.env).nil? and referrer(request.env) != request.host
       end
     end
   end

rack-protection/spec/json_csrf_spec.rb

@@ -27,6 +27,10 @@ describe Rack::Protection::JsonCsrf do
     it "accepts get requests with json responses with no referrer" do
       get('/', {}).should be_ok
     end
+
+    it "accepts XHR requests" do
+      get('/', {}, 'HTTP_REFERER' => 'http://evil.com', 'HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest').should be_ok
+    end
   end
 
   describe 'not json response' do