[Feature] Add whitelist for forgery_protection_origin_check
230 views
Skip to first unread message
Joey Paris
Jan 22, 2020, 5:45:34 PM1/22/20
to Ruby on Rails: Core
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.
I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.
richard schneeman
Jan 22, 2020, 6:06:14 PM1/22/20
to rubyonra...@googlegroups.com
I think currently encouraged terminology is “acceptlist” and “denylist”.
One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not...you can still use it.
On Wed, Jan 22, 2020 at 4:45 PM Joey Paris <jo...@leadjig.com> wrote:
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.
Richard Schneeman
https://www.schneems.com
https://www.schneems.com
Joey Paris
Jan 22, 2020, 6:10:50 PM1/22/20
to Ruby on Rails: Core
I was wondering if "whitelist" was the best term for that, so that's good to know!
Making a gem does seem like a bigger undertaking than my current needs call for, that being said it's a great idea. Especially since I can continue to use it regardless of if it's actually accepted into the Rails repo (not to mention can work on my 5.2.3 environment).
Thanks for the feedback!
On Wednesday, January 22, 2020 at 6:06:14 PM UTC-5, richard schneeman wrote:
I think currently encouraged terminology is “acceptlist” and “denylist”.One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not...you can still use it.
On Wed, Jan 22, 2020 at 4:45 PM Joey Paris <jo...@leadjig.com> wrote:
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.--I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages