From 91a87405bcaf71c43d8b9ee5c9d90099d69ac048 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Mon, 28 Sep 2020 18:46:55 -0300
Subject: [PATCH] =?UTF-8?q?algunos=20navegadores=20no=20env=C3=ADan=20orig?=
 =?UTF-8?q?in?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/controllers/api/v1/base_controller.rb      | 5 +++++
 app/controllers/api/v1/protected_controller.rb | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb
index 3ca30168..2d58187c 100644
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -26,6 +26,11 @@ module Api
       def origin
         request.headers['Origin']
       end
+
+      # Los navegadores antiguos no envían Origin
+      def origin?
+        !origin.blank?
+      end
     end
   end
 end
diff --git a/app/controllers/api/v1/protected_controller.rb b/app/controllers/api/v1/protected_controller.rb
index bce9555c..7c453095 100644
--- a/app/controllers/api/v1/protected_controller.rb
+++ b/app/controllers/api/v1/protected_controller.rb
@@ -85,7 +85,7 @@ module Api
       # XXX: Este header se puede falsificar de todas formas pero al
       # menos es una trampa.
       def site_is_origin?
-        return if site.urls(slash: false).any? { |u| origin.to_s.start_with? u }
+        return if origin? && site.urls(slash: false).any? { |u| origin.to_s.start_with? u }
 
         @reason = 'site_is_not_origin'
         head :precondition_required