Show More
@@ -157,30 +157,30 b' class IPythonHandler(AuthenticatedHandler):' | |||||
157 | #--------------------------------------------------------------- |
|
157 | #--------------------------------------------------------------- | |
158 |
|
158 | |||
159 | @property |
|
159 | @property | |
160 |
def |
|
160 | def allow_origin(self): | |
161 | """Normal Access-Control-Allow-Origin""" |
|
161 | """Normal Access-Control-Allow-Origin""" | |
162 |
return self.settings.get(' |
|
162 | return self.settings.get('allow_origin', '') | |
163 |
|
163 | |||
164 | @property |
|
164 | @property | |
165 |
def |
|
165 | def allow_origin_pat(self): | |
166 |
"""Regular expression version of |
|
166 | """Regular expression version of allow_origin""" | |
167 |
return self.settings.get(' |
|
167 | return self.settings.get('allow_origin_pat', None) | |
168 |
|
168 | |||
169 | @property |
|
169 | @property | |
170 |
def |
|
170 | def allow_credentials(self): | |
171 | """Whether to set Access-Control-Allow-Credentials""" |
|
171 | """Whether to set Access-Control-Allow-Credentials""" | |
172 |
return self.settings.get(' |
|
172 | return self.settings.get('allow_credentials', False) | |
173 |
|
173 | |||
174 | def set_default_headers(self): |
|
174 | def set_default_headers(self): | |
175 | """Add CORS headers, if defined""" |
|
175 | """Add CORS headers, if defined""" | |
176 | super(IPythonHandler, self).set_default_headers() |
|
176 | super(IPythonHandler, self).set_default_headers() | |
177 |
if self. |
|
177 | if self.allow_origin: | |
178 |
self.set_header("Access-Control-Allow-Origin", self. |
|
178 | self.set_header("Access-Control-Allow-Origin", self.allow_origin) | |
179 |
elif self. |
|
179 | elif self.allow_origin_pat: | |
180 | origin = self.get_origin() |
|
180 | origin = self.get_origin() | |
181 |
if origin and self. |
|
181 | if origin and self.allow_origin_pat.match(origin): | |
182 | self.set_header("Access-Control-Allow-Origin", origin) |
|
182 | self.set_header("Access-Control-Allow-Origin", origin) | |
183 |
if self. |
|
183 | if self.allow_credentials: | |
184 | self.set_header("Access-Control-Allow-Credentials", 'true') |
|
184 | self.set_header("Access-Control-Allow-Credentials", 'true') | |
185 |
|
185 | |||
186 | def get_origin(self): |
|
186 | def get_origin(self): |
@@ -30,8 +30,12 b' from .handlers import IPythonHandler' | |||||
30 | class ZMQStreamHandler(websocket.WebSocketHandler): |
|
30 | class ZMQStreamHandler(websocket.WebSocketHandler): | |
31 |
|
31 | |||
32 | def check_origin(self, origin): |
|
32 | def check_origin(self, origin): | |
33 |
"""Check Origin == Host or C |
|
33 | """Check Origin == Host or Access-Control-Allow-Origin. | |
34 | if self.cors_origin == '*': |
|
34 | ||
|
35 | Tornado >= 4 calls this method automatically, raising 403 if it returns False. | |||
|
36 | We call it explicitly in `open` on Tornado < 4. | |||
|
37 | """ | |||
|
38 | if self.allow_origin == '*': | |||
35 | return True |
|
39 | return True | |
36 |
|
40 | |||
37 | host = self.request.headers.get("Host") |
|
41 | host = self.request.headers.get("Host") | |
@@ -47,15 +51,12 b' class ZMQStreamHandler(websocket.WebSocketHandler):' | |||||
47 | return True |
|
51 | return True | |
48 |
|
52 | |||
49 | # Check CORS headers |
|
53 | # Check CORS headers | |
50 |
if self. |
|
54 | if self.allow_origin: | |
51 |
|
|
55 | return self.allow_origin == origin | |
52 | return True |
|
56 | elif self.allow_origin_pat: | |
|
57 | return bool(self.allow_origin_pat.match(origin)) | |||
53 |
|
|
58 | else: | |
54 | return self.cors_origin == origin |
|
59 | # No CORS headers deny the request | |
55 | elif self.cors_origin_pat: |
|
|||
56 | return bool(self.cors_origin_pat.match(origin)) |
|
|||
57 | else: |
|
|||
58 | # No CORS headers, deny the request |
|
|||
59 | return False |
|
60 | return False | |
60 |
|
61 | |||
61 | def clear_cookie(self, *args, **kwargs): |
|
62 | def clear_cookie(self, *args, **kwargs): | |
@@ -117,8 +118,8 b' class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):' | |||||
117 | # Tornado 4 already does CORS checking |
|
118 | # Tornado 4 already does CORS checking | |
118 | if tornado.version_info[0] < 4: |
|
119 | if tornado.version_info[0] < 4: | |
119 | if not self.check_origin(self.get_origin()): |
|
120 | if not self.check_origin(self.get_origin()): | |
120 |
self.log.warn("Cross Origin WebSocket Attempt |
|
121 | self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin()) | |
121 |
raise web.HTTPError(40 |
|
122 | raise web.HTTPError(403) | |
122 |
|
123 | |||
123 | self.session = Session(config=self.config) |
|
124 | self.session = Session(config=self.config) | |
124 | self.save_on_message = self.on_message |
|
125 | self.save_on_message = self.on_message |
@@ -336,16 +336,16 b' class NotebookApp(BaseIPythonApplication):' | |||||
336 |
|
336 | |||
337 | # Network related information |
|
337 | # Network related information | |
338 |
|
338 | |||
339 |
|
|
339 | allow_origin = Unicode('', config=True, | |
340 | help="""Set the Access-Control-Allow-Origin header |
|
340 | help="""Set the Access-Control-Allow-Origin header | |
341 |
|
341 | |||
342 | Use '*' to allow any origin to access your server. |
|
342 | Use '*' to allow any origin to access your server. | |
343 |
|
343 | |||
344 | Mutually exclusive with cors_origin_pat. |
|
344 | Takes precedence over allow_origin_pat. | |
345 | """ |
|
345 | """ | |
346 | ) |
|
346 | ) | |
347 |
|
347 | |||
348 |
|
|
348 | allow_origin_pat = Unicode('', config=True, | |
349 | help="""Use a regular expression for the Access-Control-Allow-Origin header |
|
349 | help="""Use a regular expression for the Access-Control-Allow-Origin header | |
350 |
|
350 | |||
351 | Requests from an origin matching the expression will get replies with: |
|
351 | Requests from an origin matching the expression will get replies with: | |
@@ -354,11 +354,11 b' class NotebookApp(BaseIPythonApplication):' | |||||
354 |
|
354 | |||
355 | where `origin` is the origin of the request. |
|
355 | where `origin` is the origin of the request. | |
356 |
|
356 | |||
357 | Mutually exclusive with cors_origin. |
|
357 | Ignored if allow_origin is set. | |
358 | """ |
|
358 | """ | |
359 | ) |
|
359 | ) | |
360 |
|
360 | |||
361 |
|
|
361 | allow_credentials = Bool(False, config=True, | |
362 | help="Set the Access-Control-Allow-Credentials: true header" |
|
362 | help="Set the Access-Control-Allow-Credentials: true header" | |
363 | ) |
|
363 | ) | |
364 |
|
364 | |||
@@ -649,9 +649,9 b' class NotebookApp(BaseIPythonApplication):' | |||||
649 |
|
649 | |||
650 | def init_webapp(self): |
|
650 | def init_webapp(self): | |
651 | """initialize tornado webapp and httpserver""" |
|
651 | """initialize tornado webapp and httpserver""" | |
652 |
self.webapp_settings[' |
|
652 | self.webapp_settings['allow_origin'] = self.allow_origin | |
653 |
self.webapp_settings[' |
|
653 | self.webapp_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat) | |
654 |
self.webapp_settings[' |
|
654 | self.webapp_settings['allow_credentials'] = self.allow_credentials | |
655 |
|
655 | |||
656 | self.web_app = NotebookWebApplication( |
|
656 | self.web_app = NotebookWebApplication( | |
657 | self, self.kernel_manager, self.notebook_manager, |
|
657 | self, self.kernel_manager, self.notebook_manager, |
General Comments 0
You need to be logged in to leave comments.
Login now