Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #197 from mala/patch-1

block xdomain redirect
  • Loading branch information...
commit 1417bf42baef4f7cde69cb9ff13c8d25c4a693d5 2 parents 7d4238f + f8fe258
@reed reed authored
Showing with 20 additions and 2 deletions.
  1. +20 −2 lib/turbolinks.rb
View
22 lib/turbolinks.rb
@@ -26,12 +26,30 @@ def set_request_method_cookie
cookies[:request_method] = request.request_method
end
end
-
+
+ module XDomainBlocker
+ private
+ def same_origin?(a, b)
+ a = URI.parse(a)
+ b = URI.parse(b)
+ [a.scheme, a.host, a.port] == [b.scheme, b.host, b.port]
+ end
+
+ def abort_xdomain_redirect
+ to_uri = response.headers['Location'] || ""
+ current = request.headers['X-XHR-Referer'] || ""
+ unless to_uri.blank? || current.blank? || same_origin?(current, to_uri)
+ self.status = 403
+ end
+ end
+ end
+
class Engine < ::Rails::Engine
initializer :turbolinks_xhr_headers do |config|
ActionController::Base.class_eval do
- include XHRHeaders, Cookies
+ include XHRHeaders, Cookies, XDomainBlocker
before_filter :set_xhr_current_location, :set_request_method_cookie
+ after_filter :abort_xdomain_redirect
end
ActionDispatch::Request.class_eval do
Please sign in to comment.
Something went wrong with that request. Please try again.