From 812a795605e6fe9d4ebff54d1f67aa29d82d52f2 2014-09-16 00:17:08 From: MinRK Date: 2014-09-16 00:17:08 Subject: [PATCH] only compare host:port in Websocket.check_origin don't include protocol - matches tornado's own behavior - avoids incorrect 403 in http-behind-https proxy situations. --- diff --git a/IPython/html/base/zmqhandlers.py b/IPython/html/base/zmqhandlers.py index 768e544..4cd98e2 100644 --- a/IPython/html/base/zmqhandlers.py +++ b/IPython/html/base/zmqhandlers.py @@ -45,10 +45,11 @@ class ZMQStreamHandler(websocket.WebSocketHandler): if(origin is None or host is None): return False - host_origin = "{0}://{1}".format(self.request.protocol, host) + origin = origin.lower() + origin_host = urlparse(origin).netloc # OK if origin matches host - if origin == host_origin: + if origin_host == host: return True # Check CORS headers @@ -58,6 +59,7 @@ class ZMQStreamHandler(websocket.WebSocketHandler): return bool(self.allow_origin_pat.match(origin)) else: # No CORS headers deny the request + self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin()) return False def clear_cookie(self, *args, **kwargs): @@ -143,7 +145,6 @@ class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler): # Tornado 4 already does CORS checking if tornado.version_info[0] < 4: if not self.check_origin(self.get_origin()): - self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin()) raise web.HTTPError(403) self.session = Session(config=self.config)