Skip to content

Fix CSRF error when Origin header is null

Heinrich Lee Yu requested to merge fix-settings-being-overridden-late into master

What does this MR do and why?

In !70577 (merged), we load Rails 6.1 defaults then override the ones we haven't adopted in an initializer.

Overriding in an initializer is too late because the config values are already used and copied to some classes like ActionController::Base.

This moves the overrides to application.rb right after we call load_defaults.

Related to #345765 (closed)

How to set up and validate locally

Before:

[1] pry(main)> Rails.application.config.action_controller.forgery_protection_origin_check
=> false
[2] pry(main)> ActionController::Base.forgery_protection_origin_check
=> true

After:

[1] pry(main)> ActionController::Base.forgery_protection_origin_check
=> false
[2] pry(main)> Rails.application.config.action_controller.forgery_protection_origin_check
=> false

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Heinrich Lee Yu

Merge request reports

Loading