Show More
| @@ -157,30 +157,30 b' class IPythonHandler(AuthenticatedHandler):' | |||
|
|
157 | 157 | #--------------------------------------------------------------- |
|
|
158 | 158 | |
|
|
159 | 159 | @property |
|
|
160 |
def |
|
|
|
160 | def allow_origin(self): | |
|
|
161 | 161 | """Normal Access-Control-Allow-Origin""" |
|
|
162 |
return self.settings.get(' |
|
|
|
162 | return self.settings.get('allow_origin', '') | |
|
|
163 | 163 | |
|
|
164 | 164 | @property |
|
|
165 |
def |
|
|
|
166 |
"""Regular expression version of |
|
|
|
167 |
return self.settings.get(' |
|
|
|
165 | def allow_origin_pat(self): | |
|
|
166 | """Regular expression version of allow_origin""" | |
|
|
167 | return self.settings.get('allow_origin_pat', None) | |
|
|
168 | 168 | |
|
|
169 | 169 | @property |
|
|
170 |
def |
|
|
|
170 | def allow_credentials(self): | |
|
|
171 | 171 | """Whether to set Access-Control-Allow-Credentials""" |
|
|
172 |
return self.settings.get(' |
|
|
|
172 | return self.settings.get('allow_credentials', False) | |
|
|
173 | 173 | |
|
|
174 | 174 | def set_default_headers(self): |
|
|
175 | 175 | """Add CORS headers, if defined""" |
|
|
176 | 176 | super(IPythonHandler, self).set_default_headers() |
|
|
177 |
if self. |
|
|
|
178 |
self.set_header("Access-Control-Allow-Origin", self. |
|
|
|
179 |
elif self. |
|
|
|
177 | if self.allow_origin: | |
|
|
178 | self.set_header("Access-Control-Allow-Origin", self.allow_origin) | |
|
|
179 | elif self.allow_origin_pat: | |
|
|
180 | 180 | origin = self.get_origin() |
|
|
181 |
if origin and self. |
|
|
|
181 | if origin and self.allow_origin_pat.match(origin): | |
|
|
182 | 182 | self.set_header("Access-Control-Allow-Origin", origin) |
|
|
183 |
if self. |
|
|
|
183 | if self.allow_credentials: | |
|
|
184 | 184 | self.set_header("Access-Control-Allow-Credentials", 'true') |
|
|
185 | 185 | |
|
|
186 | 186 | def get_origin(self): |
| @@ -30,8 +30,12 b' from .handlers import IPythonHandler' | |||
|
|
30 | 30 | class ZMQStreamHandler(websocket.WebSocketHandler): |
|
|
31 | 31 | |
|
|
32 | 32 | def check_origin(self, origin): |
|
|
33 |
"""Check Origin == Host or C |
|
|
|
34 | if self.cors_origin == '*': | |
|
|
33 | """Check Origin == Host or Access-Control-Allow-Origin. | |
|
|
34 | ||
|
|
35 | Tornado >= 4 calls this method automatically, raising 403 if it returns False. | |
|
|
36 | We call it explicitly in `open` on Tornado < 4. | |
|
|
37 | """ | |
|
|
38 | if self.allow_origin == '*': | |
|
|
35 | 39 | return True |
|
|
36 | 40 | |
|
|
37 | 41 | host = self.request.headers.get("Host") |
| @@ -47,15 +51,12 b' class ZMQStreamHandler(websocket.WebSocketHandler):' | |||
|
|
47 | 51 | return True |
|
|
48 | 52 | |
|
|
49 | 53 | # Check CORS headers |
|
|
50 |
if self. |
|
|
|
51 |
|
|
|
|
52 | return True | |
|
|
53 | else: | |
|
|
54 | return self.cors_origin == origin | |
|
|
55 | elif self.cors_origin_pat: | |
|
|
56 | return bool(self.cors_origin_pat.match(origin)) | |
|
|
54 | if self.allow_origin: | |
|
|
55 | return self.allow_origin == origin | |
|
|
56 | elif self.allow_origin_pat: | |
|
|
57 | return bool(self.allow_origin_pat.match(origin)) | |
|
|
57 | 58 | else: |
|
|
58 |
# No CORS headers |
|
|
|
59 | # No CORS headers deny the request | |
|
|
59 | 60 | return False |
|
|
60 | 61 | |
|
|
61 | 62 | def clear_cookie(self, *args, **kwargs): |
| @@ -117,8 +118,8 b' class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):' | |||
|
|
117 | 118 | # Tornado 4 already does CORS checking |
|
|
118 | 119 | if tornado.version_info[0] < 4: |
|
|
119 | 120 | if not self.check_origin(self.get_origin()): |
|
|
120 |
self.log.warn("Cross Origin WebSocket Attempt |
|
|
|
121 |
raise web.HTTPError(40 |
|
|
|
121 | self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin()) | |
|
|
122 | raise web.HTTPError(403) | |
|
|
122 | 123 | |
|
|
123 | 124 | self.session = Session(config=self.config) |
|
|
124 | 125 | self.save_on_message = self.on_message |
| @@ -336,16 +336,16 b' class NotebookApp(BaseIPythonApplication):' | |||
|
|
336 | 336 | |
|
|
337 | 337 | # Network related information |
|
|
338 | 338 | |
|
|
339 |
|
|
|
|
339 | allow_origin = Unicode('', config=True, | |
|
|
340 | 340 | help="""Set the Access-Control-Allow-Origin header |
|
|
341 | 341 | |
|
|
342 | 342 | Use '*' to allow any origin to access your server. |
|
|
343 | 343 | |
|
|
344 | Mutually exclusive with cors_origin_pat. | |
|
|
344 | Takes precedence over allow_origin_pat. | |
|
|
345 | 345 | """ |
|
|
346 | 346 | ) |
|
|
347 | 347 | |
|
|
348 |
|
|
|
|
348 | allow_origin_pat = Unicode('', config=True, | |
|
|
349 | 349 | help="""Use a regular expression for the Access-Control-Allow-Origin header |
|
|
350 | 350 | |
|
|
351 | 351 | Requests from an origin matching the expression will get replies with: |
| @@ -354,11 +354,11 b' class NotebookApp(BaseIPythonApplication):' | |||
|
|
354 | 354 | |
|
|
355 | 355 | where `origin` is the origin of the request. |
|
|
356 | 356 | |
|
|
357 | Mutually exclusive with cors_origin. | |
|
|
357 | Ignored if allow_origin is set. | |
|
|
358 | 358 | """ |
|
|
359 | 359 | ) |
|
|
360 | 360 | |
|
|
361 |
|
|
|
|
361 | allow_credentials = Bool(False, config=True, | |
|
|
362 | 362 | help="Set the Access-Control-Allow-Credentials: true header" |
|
|
363 | 363 | ) |
|
|
364 | 364 | |
| @@ -649,9 +649,9 b' class NotebookApp(BaseIPythonApplication):' | |||
|
|
649 | 649 | |
|
|
650 | 650 | def init_webapp(self): |
|
|
651 | 651 | """initialize tornado webapp and httpserver""" |
|
|
652 |
self.webapp_settings[' |
|
|
|
653 |
self.webapp_settings[' |
|
|
|
654 |
self.webapp_settings[' |
|
|
|
652 | self.webapp_settings['allow_origin'] = self.allow_origin | |
|
|
653 | self.webapp_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat) | |
|
|
654 | self.webapp_settings['allow_credentials'] = self.allow_credentials | |
|
|
655 | 655 | |
|
|
656 | 656 | self.web_app = NotebookWebApplication( |
|
|
657 | 657 | self, self.kernel_manager, self.notebook_manager, |
General Comments 0
You need to be logged in to leave comments.
Login now