From: Kyle Kelley Date: Fri, 24 Jan 2014 05:25:44 +0000 (-0600) Subject: Disable cross origin websockets by default. X-Git-Tag: v4.0.0b1~35^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=917b54af98a61d62971740e6d05bf4225307daa4;p=thirdparty%2Ftornado.git Disable cross origin websockets by default. --- diff --git a/tornado/websocket.py b/tornado/websocket.py index 66a4fedf9..fc61c2f67 100644 --- a/tornado/websocket.py +++ b/tornado/websocket.py @@ -41,6 +41,11 @@ from tornado.netutil import Resolver from tornado import simple_httpclient from tornado.util import bytes_type, unicode_type +try: + from urllib.parse import urlparse # py2 +except ImportError: + from urlparse import urlparse # py3 + try: xrange # py2 except NameError: @@ -156,6 +161,32 @@ class WebSocketHandler(tornado.web.RequestHandler): "Sec-WebSocket-Version: 8\r\n\r\n")) self.stream.close() + # Assume cross origin is disallowed by default, while allowing users to + # choose + if kwargs.get('allow_cross_origin', False): + pass + # Check that the host and origin match + elif not self.same_origin(): + self.stream.write(tornado.escape.utf8( + "HTTP/1.1 403 Cross Origin Websockets Disabled\r\n\r\n" + )) + self.stream.close() + + def same_origin(self): + """Check to see that origin and host match in the headers.""" + origin_header = self.request.headers.get("Origin") + host = self.request.headers.get("Host") + + # If no header is provided, assume we can't verify origin + if(origin_header is None or host is None): + return False + + parsed_origin = urlparse(origin_header) + origin = parsed_origin.netloc + + # Check to see that origin matches host directly, including ports + return origin == host + def write_message(self, message, binary=False): """Sends the given message to the client of this Web Socket.