class Rack::Protection::JsonCsrf
- Prevented attack
-
CSRF
- Supported browsers
-
all
- More infos
-
flask.pocoo.org/docs/0.10/security/#json-security haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
JSON GET APIs are vulnerable to being embedded as JavaScript when the Array prototype has been patched to track data. Checks the referrer even on GET requests if the content type is JSON.
If request includes Origin HTTP header, defers to HttpOrigin
to determine if the request is safe. Please refer to the documentation for more info.
The `:allow_if` option can be set to a proc to use custom allow/deny logic.
Public Instance Methods
call(env)
click to toggle source
# File lib/rack/protection/json_csrf.rb, line 24 def call(env) request = Request.new(env) status, headers, body = app.call(env) if has_vector?(request, headers) warn env, "attack prevented by #{self.class}" react_and_close(env, body) or [status, headers, body] else [status, headers, body] end end
close_body(body)
click to toggle source
# File lib/rack/protection/json_csrf.rb, line 52 def close_body(body) body.close if body.respond_to?(:close) end
has_vector?(request, headers)
click to toggle source
# File lib/rack/protection/json_csrf.rb, line 37 def has_vector?(request, headers) return false if request.xhr? return false if options[:allow_if] && options[:allow_if].call(request.env) return false unless headers['Content-Type'].to_s.split(';', 2).first =~ /^\s*application\/json\s*$/ origin(request.env).nil? and referrer(request.env) != request.host end
react_and_close(env, body)
click to toggle source
# File lib/rack/protection/json_csrf.rb, line 44 def react_and_close(env, body) reaction = react(env) close_body(body) if reaction reaction end