From: Ben Darnell <ben@bendarnell.com>
Date: Mon, 5 Sep 2016 13:18:20 +0000 (+0800)
Subject: websocket: Add security warning to check_origin docs
X-Git-Tag: v4.5.0~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac340a732875ed48663d756d0aee838de7dca6cb;p=thirdparty%2Ftornado.git

websocket: Add security warning to check_origin docs
---

diff --git a/tornado/websocket.py b/tornado/websocket.py
index 3bbd08ab4..6e1220b3e 100644
--- a/tornado/websocket.py
+++ b/tornado/websocket.py
@@ -315,6 +315,19 @@ class WebSocketHandler(tornado.web.RequestHandler):
         browsers, since WebSockets are allowed to bypass the usual same-origin
         policies and don't use CORS headers.
 
+        .. warning::
+
+           This is an important security measure; don't disable it
+           without understanding the security implications. In
+           particular, if your authenticatino is cookie-based, you
+           must either restrict the origins allowed by
+           ``check_origin()`` or implement your own XSRF-like
+           protection for websocket connections. See `these
+           <https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html>`_
+           `articles
+           <https://devcenter.heroku.com/articles/websocket-security>`_
+           for more.
+
         To accept all cross-origin traffic (which was the default prior to
         Tornado 4.0), simply override this method to always return true::
 
@@ -329,6 +342,7 @@ class WebSocketHandler(tornado.web.RequestHandler):
                 return parsed_origin.netloc.endswith(".mydomain.com")
 
         .. versionadded:: 4.0
+
         """
         parsed_origin = urlparse(origin)
         origin = parsed_origin.netloc