Currently, the forgery_protection_origin_check is a boolean option that either only validates the origin is the same as the base_url or validates nothing at all. I like the idea of adding something like forgery_protection_origin_whitelist that contains an array of (regex) strings of approved origin domains. This whitelist check should only be tested if forgery_protection_origin_check is set to true, and it should probably always include the base_url.
I should be able to add this in myself, I just want to make sure there’s enough community support for this addition before putting the time into it.
I think currently encouraged terminology is “acceptlist” and “denylist”.
One option to gauging interest is to release as a gem. If it gets traction then it makes a good case for making a first class feature, if not…you can still use it.
I was wondering if “whitelist” was the best term for that, so that’s good to know!
Making a gem does seem like a bigger undertaking than my current needs call for, that being said it’s a great idea. Especially since I can continue to use it regardless of if it’s actually accepted into the Rails repo (not to mention can work on my 5.2.3 environment).