diff --git a/IPython/html/base/handlers.py b/IPython/html/base/handlers.py
index 604e0f0..e8e6029 100644
--- a/IPython/html/base/handlers.py
+++ b/IPython/html/base/handlers.py
@@ -157,30 +157,30 @@ class IPythonHandler(AuthenticatedHandler):
#---------------------------------------------------------------
@property
- def cors_origin(self):
+ def allow_origin(self):
"""Normal Access-Control-Allow-Origin"""
- return self.settings.get('cors_origin', '')
+ return self.settings.get('allow_origin', '')
@property
- def cors_origin_pat(self):
- """Regular expression version of cors_origin"""
- return self.settings.get('cors_origin_pat', None)
+ def allow_origin_pat(self):
+ """Regular expression version of allow_origin"""
+ return self.settings.get('allow_origin_pat', None)
@property
- def cors_credentials(self):
+ def allow_credentials(self):
"""Whether to set Access-Control-Allow-Credentials"""
- return self.settings.get('cors_credentials', False)
+ return self.settings.get('allow_credentials', False)
def set_default_headers(self):
"""Add CORS headers, if defined"""
super(IPythonHandler, self).set_default_headers()
- if self.cors_origin:
- self.set_header("Access-Control-Allow-Origin", self.cors_origin)
- elif self.cors_origin_pat:
+ if self.allow_origin:
+ self.set_header("Access-Control-Allow-Origin", self.allow_origin)
+ elif self.allow_origin_pat:
origin = self.get_origin()
- if origin and self.cors_origin_pat.match(origin):
+ if origin and self.allow_origin_pat.match(origin):
self.set_header("Access-Control-Allow-Origin", origin)
- if self.cors_credentials:
+ if self.allow_credentials:
self.set_header("Access-Control-Allow-Credentials", 'true')
def get_origin(self):
diff --git a/IPython/html/base/zmqhandlers.py b/IPython/html/base/zmqhandlers.py
index dc18bb8..3e3f451 100644
--- a/IPython/html/base/zmqhandlers.py
+++ b/IPython/html/base/zmqhandlers.py
@@ -30,8 +30,12 @@ from .handlers import IPythonHandler
class ZMQStreamHandler(websocket.WebSocketHandler):
def check_origin(self, origin):
- """Check Origin == Host or CORS origins."""
- if self.cors_origin == '*':
+ """Check Origin == Host or Access-Control-Allow-Origin.
+
+ Tornado >= 4 calls this method automatically, raising 403 if it returns False.
+ We call it explicitly in `open` on Tornado < 4.
+ """
+ if self.allow_origin == '*':
return True
host = self.request.headers.get("Host")
@@ -47,15 +51,12 @@ class ZMQStreamHandler(websocket.WebSocketHandler):
return True
# Check CORS headers
- if self.cors_origin:
- if self.cors_origin == '*':
- return True
- else:
- return self.cors_origin == origin
- elif self.cors_origin_pat:
- return bool(self.cors_origin_pat.match(origin))
+ if self.allow_origin:
+ return self.allow_origin == origin
+ elif self.allow_origin_pat:
+ return bool(self.allow_origin_pat.match(origin))
else:
- # No CORS headers, deny the request
+ # No CORS headers deny the request
return False
def clear_cookie(self, *args, **kwargs):
@@ -117,8 +118,8 @@ class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
# Tornado 4 already does CORS checking
if tornado.version_info[0] < 4:
if not self.check_origin(self.get_origin()):
- self.log.warn("Cross Origin WebSocket Attempt.")
- raise web.HTTPError(404)
+ self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin())
+ raise web.HTTPError(403)
self.session = Session(config=self.config)
self.save_on_message = self.on_message
diff --git a/IPython/html/notebookapp.py b/IPython/html/notebookapp.py
index cf5288b..3ee4259 100644
--- a/IPython/html/notebookapp.py
+++ b/IPython/html/notebookapp.py
@@ -336,16 +336,16 @@ class NotebookApp(BaseIPythonApplication):
# Network related information
- cors_origin = Unicode('', config=True,
+ allow_origin = Unicode('', config=True,
help="""Set the Access-Control-Allow-Origin header
Use '*' to allow any origin to access your server.
- Mutually exclusive with cors_origin_pat.
+ Takes precedence over allow_origin_pat.
"""
)
- cors_origin_pat = Unicode('', config=True,
+ allow_origin_pat = Unicode('', config=True,
help="""Use a regular expression for the Access-Control-Allow-Origin header
Requests from an origin matching the expression will get replies with:
@@ -354,11 +354,11 @@ class NotebookApp(BaseIPythonApplication):
where `origin` is the origin of the request.
- Mutually exclusive with cors_origin.
+ Ignored if allow_origin is set.
"""
)
- cors_credentials = Bool(False, config=True,
+ allow_credentials = Bool(False, config=True,
help="Set the Access-Control-Allow-Credentials: true header"
)
@@ -649,9 +649,9 @@ class NotebookApp(BaseIPythonApplication):
def init_webapp(self):
"""initialize tornado webapp and httpserver"""
- self.webapp_settings['cors_origin'] = self.cors_origin
- self.webapp_settings['cors_origin_pat'] = re.compile(self.cors_origin_pat)
- self.webapp_settings['cors_credentials'] = self.cors_credentials
+ self.webapp_settings['allow_origin'] = self.allow_origin
+ self.webapp_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
+ self.webapp_settings['allow_credentials'] = self.allow_credentials
self.web_app = NotebookWebApplication(
self, self.kernel_manager, self.notebook_manager,