[Feature] Add whitelist for forgery_protection_origin_check

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Feature] Add whitelist for forgery_protection_origin_check

Joey Paris
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.

I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Feature] Add whitelist for forgery_protection_origin_check

richard schneeman-2
I think currently encouraged terminology is “acceptlist” and “denylist”.

One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not...you can still use it.

On Wed, Jan 22, 2020 at 4:45 PM Joey Paris <[hidden email]> wrote:
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.

I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.
--
Richard Schneeman
https://www.schneems.com

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/CAFA5uRMG14cveqYcJ5z1_VUeA30Sv7S-nrTYQYeSYBgkEBifhA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Feature] Add whitelist for forgery_protection_origin_check

Joey Paris
I was wondering if "whitelist" was the best term for that, so that's good to know!

Making a gem does seem like a bigger undertaking than my current needs call for, that being said it's a great idea. Especially since I can continue to use it regardless of if it's actually accepted into the Rails repo (not to mention can work on my 5.2.3 environment).

Thanks for the feedback!

On Wednesday, January 22, 2020 at 6:06:14 PM UTC-5, richard schneeman wrote:
I think currently encouraged terminology is “acceptlist” and “denylist”.

One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not...you can still use it.

On Wed, Jan 22, 2020 at 4:45 PM Joey Paris <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="b3v8bBA7DQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jo...@...> wrote:
Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.

I should be able to add this in myself, I just want to make sure there's enough community support for this addition before putting the time into it.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="b3v8bBA7DQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">rubyonra...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/rubyonrails-core/d29dd38c-fd2a-473e-9403-d0bf159e7107%40googlegroups.com.
--
Richard Schneeman
<a href="https://www.schneems.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.schneems.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHrTOsgUaovfAkPeY_IiGDnPgIc6A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.schneems.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHrTOsgUaovfAkPeY_IiGDnPgIc6A&#39;;return true;">https://www.schneems.com

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-core/ff6f8f5a-cc5a-44b6-b012-c78aca38101e%40googlegroups.com.