module Turbolinks::XDomainBlocker

Private Instance Methods

abort_xdomain_redirect() click to toggle source
# File lib/turbolinks.rb, line 38
def abort_xdomain_redirect
  to_uri = response.headers['Location'] || ""
  current = request.headers['X-XHR-Referer'] || ""
  unless to_uri.blank? || current.blank? || same_origin?(current, to_uri)
    self.status = 403
  end
end
same_origin?(a, b) click to toggle source
# File lib/turbolinks.rb, line 32
def same_origin?(a, b)
  a = URI.parse(a)
  b = URI.parse(b)
  [a.scheme, a.host, a.port] == [b.scheme, b.host, b.port]
end