diff --git a/app/controllers/api/v1/protected_controller.rb b/app/controllers/api/v1/protected_controller.rb index 4e49f3a..5a14bb2 100644 --- a/app/controllers/api/v1/protected_controller.rb +++ b/app/controllers/api/v1/protected_controller.rb @@ -85,7 +85,9 @@ module Api # XXX: Este header se puede falsificar de todas formas pero al # menos es una trampa. def site_is_origin? - return if origin? && site.urls(slash: false).any? { |u| origin.to_s.start_with? u } + return if site.urls(slash: false).any? do |u| + (origin || origin_from_referer).to_s.start_with? u + end @reason = 'site_is_not_origin' render plain: Rails.env.production? ? nil : @reason, status: :precondition_required