##// END OF EJS Templates
Add Origin Checking.
Kyle Kelley -
Show More
@@ -17,6 +17,11 b' Authors:'
17 17 #-----------------------------------------------------------------------------
18 18
19 19 try:
20 from urllib.parse import urlparse
21 except ImportError:
22 from urlparse import urlparse
23
24 try:
20 25 from http.cookies import SimpleCookie # Py 3
21 26 except ImportError:
22 27 from Cookie import SimpleCookie # Py 2
@@ -37,6 +42,29 b' from .handlers import IPythonHandler'
37 42 #-----------------------------------------------------------------------------
38 43
39 44 class ZMQStreamHandler(websocket.WebSocketHandler):
45
46 def check_origin(self):
47 """Check origin from headers."""
48 origin_header = self.request.headers["Origin"]
49 host = self.request.headers["Host"]
50
51 parsed_origin = urlparse(origin_header)
52 origin = parsed_origin.netloc
53
54 # Check to see that origin matches host directly, including ports
55 if origin != host:
56 self.log.critical("Cross Origin WebSocket Attempt.", exc_info=True)
57 raise web.HTTPError(404)
58
59
60 def _execute(self, transforms, *args, **kwargs):
61 """Wrap all calls to make sure origin gets checked."""
62
63 # Check to see that origin matches host directly, including ports
64 self.check_origin()
65
66 # Pass on the rest of the handling by the WebSocketHandler
67 super(ZMQStreamHandler, self)._execute(transforms, *args, **kwargs)
40 68
41 69 def clear_cookie(self, *args, **kwargs):
42 70 """meaningless for websockets"""
General Comments 0
You need to be logged in to leave comments. Login now