Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

block xdomain redirect

abort cross domain redirect when request from turbolinks
  • Loading branch information...
commit 75b0d71d0a5771c8cd0a9011719784aca5ae5ca4 1 parent 61e92f5
@mala mala authored
Showing with 20 additions and 2 deletions.
  1. +20 −2 lib/turbolinks.rb
View
22 lib/turbolinks.rb
@@ -26,12 +26,30 @@ def set_request_method_cookie
cookies[:request_method] = request.request_method
end
end
-
+
+ module XDomainBlocker
+ private
+ def is_sameorigin(a, b)
+ a = URI.parse(a)
+ b = URI.parse(b)
+ a.scheme + a.host + a.port.to_s == b.scheme + b.host + b.port.to_s
+ end
+
+ def abort_xdomain_redirect
+ to_uri = response.headers['Location'] || ""
+ current = request.headers['X-XHR-Referer'] || ""
+ if (!to_uri.empty? && !current.empty? && !is_sameorigin(current, to_uri))
+ self.status = 403
+ end
+ end
+ end
+
class Engine < ::Rails::Engine
initializer :turbolinks_xhr_headers do |config|
ActionController::Base.class_eval do
- include XHRHeaders, Cookies
+ include XHRHeaders, Cookies, XDomainBlocker
before_filter :set_xhr_current_location, :set_request_method_cookie
+ after_filter :abort_xdomain_redirect
end
ActionDispatch::Request.class_eval do
Please sign in to comment.
Something went wrong with that request. Please try again.