Implementation of Origin CSRF mitigation request header #16

Merged
merged 4 commits into from May 12, 2012

Projects

None yet

2 participants

@p0deje
Contributor
p0deje commented Jan 30, 2012

Short intro to Origin - http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html

This implementation is based on http://tools.ietf.org/html/draft-abarth-origin.
Please note that v7+ of specification lacks "HTTP Server Behavior" section, so I used earlier versions too.

What do you think about it?

@p0deje
Contributor
p0deje commented Jan 30, 2012

I keep getting error for my spec while I don't know how to fix this. Can you help me with it?

Rack::Protection::HttpOrigin accepts HEAD requests with non-whitelisted Origin
Failure/Error: send(method.downcase, '/', {}, 'HTTP_ORIGIN' => 'http://malicious.com').should be_ok
Rack::Lint::LintError:
  Response body was given for HEAD request, but should be empty
# ./spec/http_origin_spec.rb:18:in `block (3 levels) in <top (required)>'
@p0deje
Contributor
p0deje commented Feb 17, 2012

Any thoughts on this?

@p0deje
Contributor
p0deje commented May 12, 2012

@rkh Any plans to merge this or should I close the PR?

@rkh
Member
rkh commented May 12, 2012

No, I mean to merge it, sorry.

@rkh rkh merged commit f1c8b55 into sinatra:master May 12, 2012
@p0deje
Contributor
p0deje commented May 12, 2012

No worries, thanks for that!

However, I mentioned in comment above that I keep getting spec error but I don't know what's causing it. Can you help me with this?

@rkh
Member
rkh commented May 12, 2012

I'll look into them later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment