Module: Wurk::SameOriginGuard
- Extended by:
- ActiveSupport::Concern
- Included in:
- ApiController, ExtensionsController
- Defined in:
- app/controllers/concerns/wurk/same_origin_guard.rb
Overview
Sidekiq's CSRF model (spec §25.1) for the dashboard's token-less, cookie-
authenticated surfaces. The SolidJS SPA (JSON fetch) and host-registered
extension forms send no Rails authenticity token, so protect_from_forgery
can't apply — guard unsafe methods with a same-origin check instead. A
cross-site page can drive a victim's browser but cannot forge
Sec-Fetch-Site: same-origin (the browser sets it); a missing header is
denied too, since only a non-browser client omits it and it carries no
ambient session cookie to abuse.
Mirrors the standalone Rack surface (Wurk::Web#safe_request?) so every mutating dashboard entry point enforces one rule.
Constant Summary collapse
- SAFE_METHODS =
Non-mutating methods need no origin check. Matches Wurk::Web::SAFE_METHODS; kept local so this engine concern carries no lib load-order dependency.
%w[GET HEAD OPTIONS TRACE].freeze