README.md says "Note about Rails 6: Rails 6 has support for blocking requests from unknown hosts, so origin domains will need to be added there as well."
Why are origin domains needed to be added? ActionDispatch::HostAuthorization seem to only be checking the Host header
Furthermore, following the instructions literally and adding origin domain with Rails.application.config.hosts << "product.com" breaks production environment, results in application becoming inaccessible in production if application.config.hosts weren't previously defined in production environment to include the app's domain explicitly.
I read #203 several times, but couldn't find an explanation.
README.md says "Note about Rails 6: Rails 6 has support for blocking requests from unknown hosts, so origin domains will need to be added there as well."
Why are origin domains needed to be added? ActionDispatch::HostAuthorization seem to only be checking the Host header
Furthermore, following the instructions literally and adding origin domain with
Rails.application.config.hosts << "product.com"
breaks production environment, results in application becoming inaccessible in production if application.config.hosts weren't previously defined in production environment to include the app's domain explicitly.I read #203 several times, but couldn't find an explanation.