Currently, the forgery_protection_origin_check is a boolean option that 
either only validates the origin is the same as the base_url or validates 
nothing at all. I like the idea of adding something 
like forgery_protection_origin_whitelist that contains an array of (regex) 
strings of approved origin domains. This whitelist check should only be 
tested if forgery_protection_origin_check is set to true, and it should 
probably always include the base_url.

I should be able to add this in myself, I just want to make sure there's 
enough community support for this addition before putting the time into it.

You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit

Reply via email to