Module: Roda::RodaPlugins::SecFetchSiteCsrf::InstanceMethods

Defined in:
lib/roda/plugins/sec_fetch_site_csrf.rb

Instance Method Summary collapse

Instance Method Details

#check_sec_fetch_site!(&block) ⇒ Object

Check that the Sec-Fetch-Site header is valid, if the request requires it. If the header is valid or the request does not require the header, return nil. Otherwise, if a block is given, treat it as a routing block and yield to it, and if a block is not given, use the plugin :csrf_failure option to determine how to handle it.



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
# File 'lib/roda/plugins/sec_fetch_site_csrf.rb', line 101

def check_sec_fetch_site!(&block)
  plugin_opts = self.class.opts[:sec_fetch_site_csrf]
  return unless plugin_opts[:check_request_methods].include?(request.request_method)

  sec_fetch_site = env["HTTP_SEC_FETCH_SITE"]
  return if plugin_opts[:allowed_values].include?(sec_fetch_site)

  @_request.on(&block) if block
  
  case failure_action = plugin_opts[:csrf_failure]
  when :raise
    raise CsrfFailure, "potential cross-site request, Sec-Fetch-Site value: #{sec_fetch_site.inspect}"
  when :empty_403
    @_response.status = 403
    headers = @_response.headers
    headers.clear
    headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html'
    headers[RodaResponseHeaders::CONTENT_LENGTH] ='0'
    throw :halt, @_response.finish_with_body([])
  when :clear_session
    session.clear
  else # when :method
    @_request.on{_roda_sec_fetch_site_csrf_failure(@_request)}
  end
end