[Feature] Add whitelist for forgery_protection_origin_check

258 views
Skip to first unread message

Joey Paris

unread,
Jan 22, 2020, 5:45:34 PM1/22/20
to Ruby on Rails: Core
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.

I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.

richard schneeman

unread,
Jan 22, 2020, 6:06:14 PM1/22/20
to rubyonra...@googlegroups.com
I think currently encouraged terminology is “acceptlist” and “denylist”.

One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not...you can still use it.

On Wed, Jan 22, 2020 at 4:45 PM Joey Paris <jo...@leadjig.com> wrote:
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.

I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.
--
Richard Schneeman
https://www.schneems.com

Joey Paris

unread,
Jan 22, 2020, 6:10:50 PM1/22/20
to Ruby on Rails: Core
I was wondering if "whitelist" was the best term for that, so that's good to know!

Making a gem does seem like a bigger undertaking than my current needs call for, that being said it's a great idea. Especially since I can continue to use it regardless of if it's actually accepted into the Rails repo (not to mention can work on my 5.2.3 environment).

Thanks for the feedback!


On Wednesday, January 22, 2020 at 6:06:14 PM UTC-5, richard schneeman wrote:
I think currently encouraged terminology is “acceptlist” and “denylist”.

One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not...you can still use it.
On Wed, Jan 22, 2020 at 4:45 PM Joey Paris <jo...@leadjig.com> wrote:
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.

I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonra...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages