Class: Pakyow::Security::CSRF::VerifySameOrigin

Inherits:

Base

Object
Base
Pakyow::Security::CSRF::VerifySameOrigin

show all

Defined in:: lib/pakyow/security/csrf/verify_same_origin.rb

Overview

Protects against Cross-Site Forgery Requests (CSRF). www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Allows requests if the origin or referer matches the request uri, or is whitelisted through the config.origin.whitelist config option. The request is not allowed if values for both origin and referer are missing.

Constant Summary

Constants inherited from Base

Base::SAFE_HTTP_METHODS

Instance Method Summary collapse

#allowed?(connection) ⇒ Boolean
#initialize ⇒ VerifySameOrigin constructor

A new instance of VerifySameOrigin.

Methods inherited from Base

#call, #reject, #safe?

Constructor Details

#initialize ⇒ `VerifySameOrigin`

Returns a new instance of VerifySameOrigin.

# File 'lib/pakyow/security/csrf/verify_same_origin.rb', line 19

def initialize(*)
  super

  @whitelisted_origins = @config[:origin_whitelist].to_a.map { |origin|
    parse_uri(origin)
  }.compact
end

Instance Method Details

#allowed?(connection) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/pakyow/security/csrf/verify_same_origin.rb', line 27

def allowed?(connection)
  origin_uris(connection).yield_self { |origins|
    !origins.empty? && origins.all? { |origin|
      whitelisted_origin?(origin) || matching_origin?(origin, connection)
    }
  }
end