Module: Wurk::SameOriginGuard

Extended by:
ActiveSupport::Concern
Included in:
ApiController, ExtensionsController
Defined in:
app/controllers/concerns/wurk/same_origin_guard.rb

Overview

Sidekiq's CSRF model (spec §25.1) for the dashboard's token-less, cookie- authenticated surfaces. The SolidJS SPA (JSON fetch) and host-registered extension forms send no Rails authenticity token, so protect_from_forgery can't apply — guard unsafe methods with a same-origin check instead. A cross-site page can drive a victim's browser but cannot forge Sec-Fetch-Site: same-origin (the browser sets it); a missing header is denied too, since only a non-browser client omits it and it carries no ambient session cookie to abuse.

Mirrors the standalone Rack surface (Wurk::Web#safe_request?) so every mutating dashboard entry point enforces one rule.

Constant Summary collapse

SAFE_METHODS =

Non-mutating methods need no origin check. Matches Wurk::Web::SAFE_METHODS; kept local so this engine concern carries no lib load-order dependency.

%w[GET HEAD OPTIONS TRACE].freeze