Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
f8c53eff
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
f8c53eff
编写于
10月 11, 2016
作者:
M
Matthew Draper
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #26568 from skateman/cable-sameorigin-as-host
Optionally allow ActionCable requests from the same host as origin
上级
bc9dc418
268c340b
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
18 addition
and
1 deletion
+18
-1
actioncable/README.md
actioncable/README.md
+5
-0
actioncable/lib/action_cable/connection/base.rb
actioncable/lib/action_cable/connection/base.rb
+3
-0
actioncable/lib/action_cable/server/configuration.rb
actioncable/lib/action_cable/server/configuration.rb
+2
-1
actioncable/test/connection/cross_site_forgery_test.rb
actioncable/test/connection/cross_site_forgery_test.rb
+8
-0
未找到文件。
actioncable/README.md
浏览文件 @
f8c53eff
...
...
@@ -340,6 +340,11 @@ To disable and allow requests from any origin:
Rails
.
application
.
config
.
action_cable
.
disable_request_forgery_protection
=
true
```
It is also possible to allow origins that are starting with the actual HTTP HOST header:
```
ruby
Rails
.
application
.
config
.
action_cable
.
allow_same_origin_as_host
=
true
```
### Consumer Configuration
Once you have decided how to run your cable server (see below), you must provide the server URL (or path) to your client-side setup.
...
...
actioncable/lib/action_cable/connection/base.rb
浏览文件 @
f8c53eff
...
...
@@ -195,8 +195,11 @@ def send_welcome_message
def
allow_request_origin?
return
true
if
server
.
config
.
disable_request_forgery_protection
proto
=
Rack
::
Request
.
new
(
env
).
ssl?
?
"https"
:
"http"
if
Array
(
server
.
config
.
allowed_request_origins
).
any?
{
|
allowed_origin
|
allowed_origin
===
env
[
"HTTP_ORIGIN"
]
}
true
elsif
server
.
config
.
allow_same_origin_as_host
&&
env
[
"HTTP_ORIGIN"
]
==
"
#{
proto
}
://
#{
env
[
'HTTP_HOST'
]
}
"
true
else
logger
.
error
(
"Request origin not allowed:
#{
env
[
'HTTP_ORIGIN'
]
}
"
)
false
...
...
actioncable/lib/action_cable/server/configuration.rb
浏览文件 @
f8c53eff
...
...
@@ -5,7 +5,7 @@ module Server
class
Configuration
attr_accessor
:logger
,
:log_tags
attr_accessor
:connection_class
,
:worker_pool_size
attr_accessor
:disable_request_forgery_protection
,
:allowed_request_origins
attr_accessor
:disable_request_forgery_protection
,
:allowed_request_origins
,
:allow_same_origin_as_host
attr_accessor
:cable
,
:url
,
:mount_path
def
initialize
...
...
@@ -15,6 +15,7 @@ def initialize
@worker_pool_size
=
4
@disable_request_forgery_protection
=
false
@allow_same_origin_as_host
=
false
end
# Returns constant of subscription adapter specified in config/cable.yml.
...
...
actioncable/test/connection/cross_site_forgery_test.rb
浏览文件 @
f8c53eff
...
...
@@ -18,6 +18,7 @@ def send_async(method, *args)
teardown
do
@server
.
config
.
disable_request_forgery_protection
=
false
@server
.
config
.
allowed_request_origins
=
[]
@server
.
config
.
allow_same_origin_as_host
=
false
end
test
"disable forgery protection"
do
...
...
@@ -53,6 +54,13 @@ def send_async(method, *args)
assert_origin_not_allowed
"http://rails.co.uk"
end
test
"allow same origin as host"
do
@server
.
config
.
allow_same_origin_as_host
=
true
assert_origin_allowed
"http://
#{
HOST
}
"
assert_origin_not_allowed
"http://hax.com"
assert_origin_not_allowed
"http://rails.co.uk"
end
private
def
assert_origin_allowed
(
origin
)
response
=
connect_with_origin
origin
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录