Show More
@@ -43,28 +43,16 b' from .handlers import IPythonHandler' | |||
|
43 | 43 | |
|
44 | 44 | class ZMQStreamHandler(websocket.WebSocketHandler): |
|
45 | 45 | |
|
46 |
def |
|
|
47 |
"""Check origin |
|
|
48 |
origin_header = self.request.headers |
|
|
49 |
host = self.request.headers |
|
|
46 | def is_cross_origin(self): | |
|
47 | """Check to see that origin and host match in the headers.""" | |
|
48 | origin_header = self.request.headers.get("Origin") | |
|
49 | host = self.request.headers.get("Host") | |
|
50 | 50 | |
|
51 | 51 | parsed_origin = urlparse(origin_header) |
|
52 | 52 | origin = parsed_origin.netloc |
|
53 | 53 | |
|
54 | 54 | # Check to see that origin matches host directly, including ports |
|
55 |
|
|
|
56 | self.log.warn("Cross Origin WebSocket Attempt.") | |
|
57 | raise web.HTTPError(404) | |
|
58 | ||
|
59 | ||
|
60 | def _execute(self, *args, **kwargs): | |
|
61 | """Wrap all calls to make sure origin gets checked.""" | |
|
62 | ||
|
63 | # Check to see that origin matches host directly, including ports | |
|
64 | self.check_origin() | |
|
65 | ||
|
66 | # Pass on the rest of the handling by the WebSocketHandler | |
|
67 | super(ZMQStreamHandler, self)._execute(*args, **kwargs) | |
|
55 | return origin != host | |
|
68 | 56 | |
|
69 | 57 | def clear_cookie(self, *args, **kwargs): |
|
70 | 58 | """meaningless for websockets""" |
@@ -114,6 +102,11 b' class ZMQStreamHandler(websocket.WebSocketHandler):' | |||
|
114 | 102 | class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler): |
|
115 | 103 | |
|
116 | 104 | def open(self, kernel_id): |
|
105 | # Check to see that origin matches host directly, including ports | |
|
106 | if self.is_cross_origin(): | |
|
107 | self.log.warn("Cross Origin WebSocket Attempt.") | |
|
108 | raise web.HTTPError(404) | |
|
109 | ||
|
117 | 110 | self.kernel_id = cast_unicode(kernel_id, 'ascii') |
|
118 | 111 | self.session = Session(config=self.config) |
|
119 | 112 | self.save_on_message = self.on_message |
General Comments 0
You need to be logged in to leave comments.
Login now