From d528b5aa6ccec6641e000374332b84c55e2c9890 Mon Sep 17 00:00:00 2001
From: Chris Mytton <self@hecticjeff.net>
Date: Fri, 2 Dec 2011 19:42:24 +0000
Subject: [PATCH] Show warnings for a `JsonCsrf` attack.

Since the `JsonCsrf` middleware overrides the `call` method, the default
warning is never displayed. I couldn't figure out why sinatra was
returning a 403 for CORS and JSONP requests, tracked it down to this.
---
 rack-protection/lib/rack/protection/json_csrf.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rack-protection/lib/rack/protection/json_csrf.rb b/rack-protection/lib/rack/protection/json_csrf.rb
index 7aea8873..5b75121d 100644
--- a/rack-protection/lib/rack/protection/json_csrf.rb
+++ b/rack-protection/lib/rack/protection/json_csrf.rb
@@ -16,7 +16,10 @@ module Rack
       def call(env)
         status, headers, body = app.call(env)
         if headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/
-          result = react(env) if referrer(env) != Request.new(env).host
+          if referrer(env) != Request.new(env).host
+            result = react(env)
+            warn env, "attack prevented by #{self.class}"
+          end
         end
         result or [status, headers, body]
       end