Show More
@@ -57,23 +57,33 b' class ZMQStreamHandler(websocket.WebSocketHandler):' | |||||
57 | host = self.request.headers.get("Host") |
|
57 | host = self.request.headers.get("Host") | |
58 |
|
58 | |||
59 | # If no header is provided, assume we can't verify origin |
|
59 | # If no header is provided, assume we can't verify origin | |
60 |
if |
|
60 | if origin is None: | |
|
61 | self.log.warn("Missing Origin header, rejecting WebSocket connection.") | |||
|
62 | return False | |||
|
63 | if host is None: | |||
|
64 | self.log.warn("Missing Host header, rejecting WebSocket connection.") | |||
61 | return False |
|
65 | return False | |
62 |
|
66 | |||
63 | host_origin = "{0}://{1}".format(self.request.protocol, host) |
|
67 | origin = origin.lower() | |
|
68 | origin_host = urlparse(origin).netloc | |||
64 |
|
69 | |||
65 | # OK if origin matches host |
|
70 | # OK if origin matches host | |
66 |
if origin == host |
|
71 | if origin_host == host: | |
67 | return True |
|
72 | return True | |
68 |
|
73 | |||
69 | # Check CORS headers |
|
74 | # Check CORS headers | |
70 | if self.allow_origin: |
|
75 | if self.allow_origin: | |
71 |
|
|
76 | allow = self.allow_origin == origin | |
72 | elif self.allow_origin_pat: |
|
77 | elif self.allow_origin_pat: | |
73 |
|
|
78 | allow = bool(self.allow_origin_pat.match(origin)) | |
74 | else: |
|
79 | else: | |
75 | # No CORS headers deny the request |
|
80 | # No CORS headers deny the request | |
76 |
|
|
81 | allow = False | |
|
82 | if not allow: | |||
|
83 | self.log.warn("Blocking Cross Origin WebSocket Attempt. Origin: %s, Host: %s", | |||
|
84 | origin, host, | |||
|
85 | ) | |||
|
86 | return allow | |||
77 |
|
87 | |||
78 | def clear_cookie(self, *args, **kwargs): |
|
88 | def clear_cookie(self, *args, **kwargs): | |
79 | """meaningless for websockets""" |
|
89 | """meaningless for websockets""" | |
@@ -134,7 +144,6 b' class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):' | |||||
134 | # Tornado 4 already does CORS checking |
|
144 | # Tornado 4 already does CORS checking | |
135 | if tornado.version_info[0] < 4: |
|
145 | if tornado.version_info[0] < 4: | |
136 | if not self.check_origin(self.get_origin()): |
|
146 | if not self.check_origin(self.get_origin()): | |
137 | self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin()) |
|
|||
138 | raise web.HTTPError(403) |
|
147 | raise web.HTTPError(403) | |
139 |
|
148 | |||
140 | self.session = Session(config=self.config) |
|
149 | self.session = Session(config=self.config) |
General Comments 0
You need to be logged in to leave comments.
Login now