Currently when the disable_request_forgery_protection is set to true, you need to specify the list of allowed origins.
This can be quite problematic if the application is available using multiple addresses or it is massively deployed for various customers.
My idea is to have an optional allow_same_origin_as_host that will allow any origin beginning with the current HTTP_HOST.
proto = Rack::Request.new(env).ssl? ? ‘https’ : ‘http’
I’m not a security expert and it is possible that this is completely unsafe, but I haven’t found any other solution without specifying the list of all allowed origins.
I have a PR prepared with tests and it works well in our application…