self.assertEqual(code, 1001)
self.assertEqual(reason, 'goodbye')
+ @gen_test
+ def test_check_origin_valid(self):
+ port = self.get_http_port()
+
+ url = 'ws://localhost:%d/echo' % port
+ headers = {'Origin': 'http://localhost:%d' % port}
+
+ ws = yield websocket_connect(HTTPRequest(url, headers=headers),
+ io_loop=self.io_loop)
+ ws.write_message('hello')
+ response = yield ws.read_message()
+ self.assertEqual(response, 'hello')
+ ws.close()
+ yield self.close_future
+
+ @gen_test
+ def test_check_origin_invalid(self):
+ '''Currently a failing test'''
+ port = self.get_http_port()
+
+ url = 'ws://localhost:%d/echo' % port
+ headers = {'Origin': 'http://somewhereelse.com'}
+
+ ws = yield websocket_connect(HTTPRequest(url, headers=headers),
+ io_loop=self.io_loop)
+ ws.write_message('hello')
+
+ response = yield ws.read_message()
+
+ self.assertEqual(response, 'hello')
+ ws.close()
+ yield self.close_future
+
class MaskFunctionMixin(object):
# Subclasses should define self.mask(mask, data)
By default, this checks to see that requests that provide both a host
origin have the same origin and host This is a security protection
against cross site scripting attacks on browsers,
- since WebSockets don't have CORS headers."""
-
+ since WebSockets don't have CORS headers.
+
+ >>> self.check_origins(allowed_origins=['localhost'])
+
+ """
# Handle WebSocket Origin naming convention differences
# The difference between version 8 and 13 is that in 8 the
# client sends a "Sec-Websocket-Origin" header and in 13 it's
parsed_origin = urlparse(origin_header)
origin = parsed_origin.netloc
- if origin in allowed_origins:
+ if allowed_origins and origin in allowed_origins:
return True
# Check to see that origin matches host directly, including ports
projects / thirdparty / tornado.git / commitdiff
