Document :origin_whitelist option for HttpOrigin and pointer from J…

…sonCsrf closes #63
sinatra · Aug 1, 2016 · 7e723a7 · 7e723a7
1 parent b561ee2
commit 7e723a7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/lib/rack/protection/http_origin.rb b/lib/rack/protection/http_origin.rb
@@ -10,7 +10,12 @@ module Protection
     #
     # Does not accept unsafe HTTP requests when value of Origin HTTP request header
     # does not match default or whitelisted URIs.
-    # The :allow_if option can also be set to a proc to use custom allow/deny logic.
+    #
+    # If you want to whitelist a specific domain, you can pass in as the `:origin_whitelist` option:
+    #
+    #     use Rack::Protection, origin_whitelist: ["http://localhost:3000", "http://127.0.01:3000"]
+    #
+    # The `:allow_if` option can also be set to a proc to use custom allow/deny logic.
     class HttpOrigin < Base
       DEFAULT_PORTS = { 'http' => 80, 'https' => 443, 'coffee' => 80 }
       default_reaction :deny

diff --git a/lib/rack/protection/json_csrf.rb b/lib/rack/protection/json_csrf.rb
@@ -10,6 +10,9 @@ module Protection
     # JSON GET APIs are vulnerable to being embedded as JavaScript while the
     # Array prototype has been patched to track data. Checks the referrer
     # even on GET requests if the content type is JSON.
+    #
+    # Uses HttpOrigin to determine if requests are safe, please refer to the
+    # documentation for more.
     class JsonCsrf < Base
       alias react deny