[Feature Request] Allow matching HTTP_ORIGIN with HTTP_HOST in ActionCable

Currently when the disable_request_forgery_protection is set to true, you need to specify the list of allowed origins.
This can be quite problematic if the application is available using multiple addresses or it is massively deployed for various customers.

My idea is to have an optional allow_same_origin_as_host that will allow any origin beginning with the current HTTP_HOST.

proto = Rack::Request.new(env).ssl? ? ‘https’ : ‘http’
env[‘HTTP_ORIGIN’].start_with?("#{proto}://#{env[‘HTTP_HOST’]}/")

``

I’m not a security expert and it is possible that this is completely unsafe, but I haven’t found any other solution without specifying the list of all allowed origins.

I have a PR prepared with tests and it works well in our application…

David

Is this in reference to Action Cable specifically?

The statements made in this email are contrary to the public documentation for Rails 5 (see https://github.com/rails/rails/tree/master/actioncable#allowed-request-origins) which state:

To disable and allow requests from any origin:

Rails.application.config.action_cable.disable_request_forgery_protection = true

In my mind, if the docs say that setting disable_request_forgery_protection = true will allow requests from any origin, then that’s what Rails should do, and if it doesn’t it’s a bug, not an opportunity to add a new feature.

Alternatively, maybe the behavior is right and the docs are wrong, in which case the docs should be revised.

-Jason

Okay, maybe I wasn’t specific enough. Request forgery protection works as expected and described in the documentation.
My problem is with the part where you have to explicitly specify the list of allowed origins.

As written in my first mail, this can cause issues in some cases and it would be nice to have an alternative solution for matching the ORIGIN with a PROTO://HOST regexp.

  1. június 30., csütörtök 15:13:05 UTC+2 időpontban Jason FB a következőt írta:

Ah yes that makes more sense.

Looks from the Action Cable docs (https://github.com/rails/rails/tree/master/actioncable#allowed-request-origins) you already can use a Regexp in the list of allowed origins.

-Jason

That’s right, but you can’t use the the HTTP_HOST header in the regexp :frowning:

David

  1. június 30., csütörtök 19:18:10 UTC+2 időpontban Jason FB a következőt írta:

I have also been brewing up a feature to set allowed_request_origins when there are multiple addresses:
https://github.com/lorint/rails/tree/actioncable_with_rails_s_b
It jumps to life when someone runs “rails s -b 0.0.0.0” and automatically finds their private IPs and puts in entries for them. (So 192.168.0.5 would make it, but an Internet IP like 92.40.248.109 would not.) Also it indicates the addresses that get added into allowed_request_origins while action cable is being initialized.
Only affects development – perhaps we could combine efforts so if someone sets allow_same_origin_as_host then it uses HTTP_HOST, and if not then it falls back to my code.

-Lorin