From 91a87405bcaf71c43d8b9ee5c9d90099d69ac048 Mon Sep 17 00:00:00 2001 From: f Date: Mon, 28 Sep 2020 18:46:55 -0300 Subject: [PATCH] =?UTF-8?q?algunos=20navegadores=20no=20env=C3=ADan=20orig?= =?UTF-8?q?in?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/controllers/api/v1/base_controller.rb | 5 +++++ app/controllers/api/v1/protected_controller.rb | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb index 3ca3016..2d58187 100644 --- a/app/controllers/api/v1/base_controller.rb +++ b/app/controllers/api/v1/base_controller.rb @@ -26,6 +26,11 @@ module Api def origin request.headers['Origin'] end + + # Los navegadores antiguos no envĂ­an Origin + def origin? + !origin.blank? + end end end end diff --git a/app/controllers/api/v1/protected_controller.rb b/app/controllers/api/v1/protected_controller.rb index bce9555..7c45309 100644 --- a/app/controllers/api/v1/protected_controller.rb +++ b/app/controllers/api/v1/protected_controller.rb @@ -85,7 +85,7 @@ module Api # XXX: Este header se puede falsificar de todas formas pero al # menos es una trampa. def site_is_origin? - return if site.urls(slash: false).any? { |u| origin.to_s.start_with? u } + return if origin? && site.urls(slash: false).any? { |u| origin.to_s.start_with? u } @reason = 'site_is_not_origin' head :precondition_required