Move nil origin check out to execute

author Kyle Kelley <kyle.kelley@rackspace.com>

Tue, 28 Jan 2014 03:22:59 +0000 (20:22 -0700)

committer Kyle Kelley <kyle.kelley@rackspace.com>

Thu, 8 May 2014 18:42:21 +0000 (13:42 -0500)
author Kyle Kelley <kyle.kelley@rackspace.com>
Tue, 28 Jan 2014 03:22:59 +0000 (20:22 -0700)
committer Kyle Kelley <kyle.kelley@rackspace.com>
Thu, 8 May 2014 18:42:21 +0000 (13:42 -0500)
diff --git a/tornado/websocket.py b/tornado/websocket.py

index 1ba905b71bf1365c944a9204e3a41fa6f2e85a08..94164de56a88928e40deb3f63b8ec08659618c2b 100644 (file)
--- a/tornado/websocket.py
+++ b/tornado/websocket.py
@@ -164,9 +164,13 @@ class WebSocketHandler(tornado.web.RequestHandler):
              origin = parsed_origin.netloc
              origin = origin.lower()
  
+        # When origin is None, assume it didn't come from a browser and we can
+        # pass it on
+        if origin is None:
+            pass
          # If there was an origin header, check to make sure it matches
          # according to check_origin
-        if not self.check_origin(origin):
+        elif origin and not self.check_origin(origin):
              self.stream.write(tornado.escape.utf8(
                  "HTTP/1.1 403 Cross Origin Websockets Disabled\r\n\r\n"
              ))
@@ -290,15 +294,7 @@ class WebSocketHandler(tornado.web.RequestHandler):
  
          This is a security protection against cross site scripting attacks on
          browsers, since WebSockets don't have CORS headers.
-        
-        >>> self.check_origin(origin='localhost')
-        True
-        
          """
-        # When origin is None, assume it didn't come from a browser and we can
-        # pass it on
-        if origin is None:
-            return True
  
          host = self.request.headers.get("Host")
author	Kyle Kelley <kyle.kelley@rackspace.com>
	Tue, 28 Jan 2014 03:22:59 +0000 (20:22 -0700)
committer	Kyle Kelley <kyle.kelley@rackspace.com>
	Thu, 8 May 2014 18:42:21 +0000 (13:42 -0500)