##// END OF EJS Templates
s/cors_/allow_/...
MinRK -
Show More
@@ -157,30 +157,30 b' class IPythonHandler(AuthenticatedHandler):'
157 #---------------------------------------------------------------
157 #---------------------------------------------------------------
158
158
159 @property
159 @property
160 def cors_origin(self):
160 def allow_origin(self):
161 """Normal Access-Control-Allow-Origin"""
161 """Normal Access-Control-Allow-Origin"""
162 return self.settings.get('cors_origin', '')
162 return self.settings.get('allow_origin', '')
163
163
164 @property
164 @property
165 def cors_origin_pat(self):
165 def allow_origin_pat(self):
166 """Regular expression version of cors_origin"""
166 """Regular expression version of allow_origin"""
167 return self.settings.get('cors_origin_pat', None)
167 return self.settings.get('allow_origin_pat', None)
168
168
169 @property
169 @property
170 def cors_credentials(self):
170 def allow_credentials(self):
171 """Whether to set Access-Control-Allow-Credentials"""
171 """Whether to set Access-Control-Allow-Credentials"""
172 return self.settings.get('cors_credentials', False)
172 return self.settings.get('allow_credentials', False)
173
173
174 def set_default_headers(self):
174 def set_default_headers(self):
175 """Add CORS headers, if defined"""
175 """Add CORS headers, if defined"""
176 super(IPythonHandler, self).set_default_headers()
176 super(IPythonHandler, self).set_default_headers()
177 if self.cors_origin:
177 if self.allow_origin:
178 self.set_header("Access-Control-Allow-Origin", self.cors_origin)
178 self.set_header("Access-Control-Allow-Origin", self.allow_origin)
179 elif self.cors_origin_pat:
179 elif self.allow_origin_pat:
180 origin = self.get_origin()
180 origin = self.get_origin()
181 if origin and self.cors_origin_pat.match(origin):
181 if origin and self.allow_origin_pat.match(origin):
182 self.set_header("Access-Control-Allow-Origin", origin)
182 self.set_header("Access-Control-Allow-Origin", origin)
183 if self.cors_credentials:
183 if self.allow_credentials:
184 self.set_header("Access-Control-Allow-Credentials", 'true')
184 self.set_header("Access-Control-Allow-Credentials", 'true')
185
185
186 def get_origin(self):
186 def get_origin(self):
@@ -30,8 +30,12 b' from .handlers import IPythonHandler'
30 class ZMQStreamHandler(websocket.WebSocketHandler):
30 class ZMQStreamHandler(websocket.WebSocketHandler):
31
31
32 def check_origin(self, origin):
32 def check_origin(self, origin):
33 """Check Origin == Host or CORS origins."""
33 """Check Origin == Host or Access-Control-Allow-Origin.
34 if self.cors_origin == '*':
34
35 Tornado >= 4 calls this method automatically, raising 403 if it returns False.
36 We call it explicitly in `open` on Tornado < 4.
37 """
38 if self.allow_origin == '*':
35 return True
39 return True
36
40
37 host = self.request.headers.get("Host")
41 host = self.request.headers.get("Host")
@@ -47,15 +51,12 b' class ZMQStreamHandler(websocket.WebSocketHandler):'
47 return True
51 return True
48
52
49 # Check CORS headers
53 # Check CORS headers
50 if self.cors_origin:
54 if self.allow_origin:
51 if self.cors_origin == '*':
55 return self.allow_origin == origin
52 return True
56 elif self.allow_origin_pat:
57 return bool(self.allow_origin_pat.match(origin))
53 else:
58 else:
54 return self.cors_origin == origin
59 # No CORS headers deny the request
55 elif self.cors_origin_pat:
56 return bool(self.cors_origin_pat.match(origin))
57 else:
58 # No CORS headers, deny the request
59 return False
60 return False
60
61
61 def clear_cookie(self, *args, **kwargs):
62 def clear_cookie(self, *args, **kwargs):
@@ -117,8 +118,8 b' class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):'
117 # Tornado 4 already does CORS checking
118 # Tornado 4 already does CORS checking
118 if tornado.version_info[0] < 4:
119 if tornado.version_info[0] < 4:
119 if not self.check_origin(self.get_origin()):
120 if not self.check_origin(self.get_origin()):
120 self.log.warn("Cross Origin WebSocket Attempt.")
121 self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin())
121 raise web.HTTPError(404)
122 raise web.HTTPError(403)
122
123
123 self.session = Session(config=self.config)
124 self.session = Session(config=self.config)
124 self.save_on_message = self.on_message
125 self.save_on_message = self.on_message
@@ -336,16 +336,16 b' class NotebookApp(BaseIPythonApplication):'
336
336
337 # Network related information
337 # Network related information
338
338
339 cors_origin = Unicode('', config=True,
339 allow_origin = Unicode('', config=True,
340 help="""Set the Access-Control-Allow-Origin header
340 help="""Set the Access-Control-Allow-Origin header
341
341
342 Use '*' to allow any origin to access your server.
342 Use '*' to allow any origin to access your server.
343
343
344 Mutually exclusive with cors_origin_pat.
344 Takes precedence over allow_origin_pat.
345 """
345 """
346 )
346 )
347
347
348 cors_origin_pat = Unicode('', config=True,
348 allow_origin_pat = Unicode('', config=True,
349 help="""Use a regular expression for the Access-Control-Allow-Origin header
349 help="""Use a regular expression for the Access-Control-Allow-Origin header
350
350
351 Requests from an origin matching the expression will get replies with:
351 Requests from an origin matching the expression will get replies with:
@@ -354,11 +354,11 b' class NotebookApp(BaseIPythonApplication):'
354
354
355 where `origin` is the origin of the request.
355 where `origin` is the origin of the request.
356
356
357 Mutually exclusive with cors_origin.
357 Ignored if allow_origin is set.
358 """
358 """
359 )
359 )
360
360
361 cors_credentials = Bool(False, config=True,
361 allow_credentials = Bool(False, config=True,
362 help="Set the Access-Control-Allow-Credentials: true header"
362 help="Set the Access-Control-Allow-Credentials: true header"
363 )
363 )
364
364
@@ -649,9 +649,9 b' class NotebookApp(BaseIPythonApplication):'
649
649
650 def init_webapp(self):
650 def init_webapp(self):
651 """initialize tornado webapp and httpserver"""
651 """initialize tornado webapp and httpserver"""
652 self.webapp_settings['cors_origin'] = self.cors_origin
652 self.webapp_settings['allow_origin'] = self.allow_origin
653 self.webapp_settings['cors_origin_pat'] = re.compile(self.cors_origin_pat)
653 self.webapp_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
654 self.webapp_settings['cors_credentials'] = self.cors_credentials
654 self.webapp_settings['allow_credentials'] = self.allow_credentials
655
655
656 self.web_app = NotebookWebApplication(
656 self.web_app = NotebookWebApplication(
657 self, self.kernel_manager, self.notebook_manager,
657 self, self.kernel_manager, self.notebook_manager,
General Comments 0
You need to be logged in to leave comments. Login now