module TurboGraft::XDomainBlocker

Changes the response status to 403 Forbidden if all of these conditions are true:

Private Instance Methods

abort_xdomain_redirect() click to toggle source
# File lib/turbograft/x_domain_blocker.rb, line 13
def abort_xdomain_redirect
  to_uri = response.headers['Location'] || ""
  current = request.headers['X-XHR-Referer'] || ""
  unless to_uri.blank? || current.blank? || same_origin?(current, to_uri)
    self.status = 403
  end
end
same_origin?(a, b) click to toggle source
# File lib/turbograft/x_domain_blocker.rb, line 7
def same_origin?(a, b)
  a = URI.parse URI::DEFAULT_PARSER.escape(a)
  b = URI.parse URI::DEFAULT_PARSER.escape(b)
  [a.scheme, a.host, a.port] == [b.scheme, b.host, b.port]
end