# File lib/turbolinks.rb, line 38 def abort_xdomain_redirect to_uri = response.headers['Location'] || "" current = request.headers['X-XHR-Referer'] || "" unless to_uri.blank? || current.blank? || same_origin?(current, to_uri) self.status = 403 end end
# File lib/turbolinks.rb, line 32 def same_origin?(a, b) a = URI.parse(a) b = URI.parse(b) [a.scheme, a.host, a.port] == [b.scheme, b.host, b.port] end