##// END OF EJS Templates
Performing check only on open.
Kyle Kelley -
Show More
@@ -43,28 +43,16 b' from .handlers import IPythonHandler'
43 43
44 44 class ZMQStreamHandler(websocket.WebSocketHandler):
45 45
46 def check_origin(self):
47 """Check origin from headers."""
48 origin_header = self.request.headers["Origin"]
49 host = self.request.headers["Host"]
46 def is_cross_origin(self):
47 """Check to see that origin and host match in the headers."""
48 origin_header = self.request.headers.get("Origin")
49 host = self.request.headers.get("Host")
50 50
51 51 parsed_origin = urlparse(origin_header)
52 52 origin = parsed_origin.netloc
53 53
54 54 # Check to see that origin matches host directly, including ports
55 if origin != host:
56 self.log.warn("Cross Origin WebSocket Attempt.")
57 raise web.HTTPError(404)
58
59
60 def _execute(self, *args, **kwargs):
61 """Wrap all calls to make sure origin gets checked."""
62
63 # Check to see that origin matches host directly, including ports
64 self.check_origin()
65
66 # Pass on the rest of the handling by the WebSocketHandler
67 super(ZMQStreamHandler, self)._execute(*args, **kwargs)
55 return origin != host
68 56
69 57 def clear_cookie(self, *args, **kwargs):
70 58 """meaningless for websockets"""
@@ -114,6 +102,11 b' class ZMQStreamHandler(websocket.WebSocketHandler):'
114 102 class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
115 103
116 104 def open(self, kernel_id):
105 # Check to see that origin matches host directly, including ports
106 if self.is_cross_origin():
107 self.log.warn("Cross Origin WebSocket Attempt.")
108 raise web.HTTPError(404)
109
117 110 self.kernel_id = cast_unicode(kernel_id, 'ascii')
118 111 self.session = Session(config=self.config)
119 112 self.save_on_message = self.on_message
General Comments 0
You need to be logged in to leave comments. Login now