如何使用机架/保护在Sinatra中指定原始白名单选项 [英] How do I specify Origin Whitelist Options in Sinatra using Rack/Protection

问题描述

我有一个网络应用程序，让 http://web.example.com 向POST请求 http://api.example.com 。 api服务器运行最新版本的Sinatra，启用机架保护。我得到这个错误攻击由Rack :: Protection :: HttpOrigin阻止。

我可以这样做：

  set：protection，：except => [：http_origin] 
  

但我觉得我只是忽略了实际的问题。

我试图这样做：

 使用Rack :: Protection :: HttpOrigin， ：origin_whitelist => ['http://web.example.com'] 
  

但我仍然收到警告。 / p>

请求未被拒绝，但Sinatra清除我的会话请参阅post ，我需要session_id。

任何关于如何为HttpOrigin类指定option_whitelist的帮助或示例将非常感谢。

解决方案

将选项作为散列传递给 set：protection ：

  set：protection，：origin_whitelist => ['http://web.example.com'] 
  

Sinatra会将它们传递到 Rack :: Protection





我怀疑当你有<$ c $时会失败的原因c> use Rack :: Protection :: HttpOrigin，：origin_whitelist => ['http://web.example.com'] 是您仍然启用了保护，因此您最终会有两个实例 HttpOrigin 。您可以尝试

  set：protection，：except => [：http_origin] 
使用Rack :: Protection :: HttpOrigin，：origin_whitelist => ['http://web.example.com'] 
  

ve were together ），但我认为第一个解决方案更干净。

I have a web app, lets say http://web.example.com making a POST request to http://api.example.com. The api server is running the latest version of Sinatra with rack protection enabled. I am getting this error 'attack prevented by Rack::Protection::HttpOrigin'.

I can do something like this:

set :protection, :except => [:http_origin]

but I feel like I am just ignoring the actual problem.

I have tried to do this:

use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com']

but I still get the warning.

The request does not get rejected, but Sinatra clears my session see this post and I need the session_id.

Any help or examples on how to specify the option_whitelist for the HttpOrigin class would be greatly appreciated.

解决方案

Pass your options as a hash to set :protection:

set :protection, :origin_whitelist => ['http://web.example.com']

Sinatra will then pass them through to Rack::Protection when setting it up.

I suspect the reason it is failing when you have use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com'] is that you still have protection enabled, so that you end up with two instances of HttpOrigin. You could try

set :protection, :except => [:http_origin]
use Rack::Protection::HttpOrigin, :origin_whitelist => ['http://web.example.com']

(i.e. have both the lines you’ve tried together), but I think the first solution is cleaner.

这篇关于如何使用机架/保护在Sinatra中指定原始白名单选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！