diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb index 3ca3016..2d58187 100644 --- a/app/controllers/api/v1/base_controller.rb +++ b/app/controllers/api/v1/base_controller.rb @@ -26,6 +26,11 @@ module Api def origin request.headers['Origin'] end + + # Los navegadores antiguos no envĂ­an Origin + def origin? + !origin.blank? + end end end end diff --git a/app/controllers/api/v1/protected_controller.rb b/app/controllers/api/v1/protected_controller.rb index bce9555..7c45309 100644 --- a/app/controllers/api/v1/protected_controller.rb +++ b/app/controllers/api/v1/protected_controller.rb @@ -85,7 +85,7 @@ module Api # XXX: Este header se puede falsificar de todas formas pero al # menos es una trampa. def site_is_origin? - return if site.urls(slash: false).any? { |u| origin.to_s.start_with? u } + return if origin? && site.urls(slash: false).any? { |u| origin.to_s.start_with? u } @reason = 'site_is_not_origin' head :precondition_required