Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.
I think currently encouraged terminology is “acceptlist” and “denylist”.One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not...you can still use it.
On Wed, Jan 22, 2020 at 4:45 PM Joey Paris <jo...@leadjig.com> wrote:
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.--I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.