Public Instance methods
check_sec_fetch_site!(&block)
Check that the Sec-Fetch-Site header is valid, if the request requires it. If the header is valid or the request does not require the header, return nil. Otherwise, if a block is given, treat it as a routing block and yield to it, and if a block is not given, use the plugin :csrf_failure option to determine how to handle it.
[show source]
# File lib/roda/plugins/sec_fetch_site_csrf.rb 101 def check_sec_fetch_site!(&block) 102 plugin_opts = self.class.opts[:sec_fetch_site_csrf] 103 return unless plugin_opts[:check_request_methods].include?(request.request_method) 104 105 sec_fetch_site = env["HTTP_SEC_FETCH_SITE"] 106 return if plugin_opts[:allowed_values].include?(sec_fetch_site) 107 108 @_request.on(&block) if block 109 110 case failure_action = plugin_opts[:csrf_failure] 111 when :raise 112 raise CsrfFailure, "potential cross-site request, Sec-Fetch-Site value: #{sec_fetch_site.inspect}" 113 when :empty_403 114 @_response.status = 403 115 headers = @_response.headers 116 headers.clear 117 headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html' 118 headers[RodaResponseHeaders::CONTENT_LENGTH] ='0' 119 throw :halt, @_response.finish_with_body([]) 120 when :clear_session 121 session.clear 122 else # when :method 123 @_request.on{_roda_sec_fetch_site_csrf_failure(@_request)} 124 end 125 end