Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Origin Checking. #4845

Merged
merged 9 commits into from Jan 31, 2014
Merged

Add Origin Checking. #4845

merged 9 commits into from Jan 31, 2014

Conversation

@rgbkrk
Copy link
Member

rgbkrk commented Jan 21, 2014

This verifies that requests originate from the same host that a notebook is run on.


# Check to see that origin matches host directly, including ports
if origin != host:
self.log.critical("Cross Origin WebSocket Attempt.", exc_info=True)

This comment has been minimized.

Copy link
@minrk

minrk Jan 21, 2014

Member

Probably don't need exc_info=True, since there is no exception

@@ -17,6 +17,11 @@
#-----------------------------------------------------------------------------

try:
from urllib.parse import urlparse

This comment has been minimized.

Copy link
@fperez

fperez Jan 21, 2014

Member

I'd add a comment here indicating this is the py3 codepath. That way we'll know in the future and when we drop py2 compatibility, we can remove the py2 path.

origin = parsed_origin.netloc

# Check to see that origin matches host directly, including ports
if origin != host:

This comment has been minimized.

Copy link
@minrk

minrk Jan 21, 2014

Member

just need to check that Host and Origin are both affected in the same way by proxies / tunnels

def check_origin(self):
"""Check origin from headers."""
origin_header = self.request.headers["Origin"]
host = self.request.headers["Host"]

This comment has been minimized.

Copy link
@minrk

minrk Jan 22, 2014

Member

Probably use get, in the unlikely event these are undefined.

@minrk
Copy link
Member

minrk commented Jan 22, 2014

You mentioned moving the check to on_open in authenticated handler, did you still want to do that?

@rgbkrk
Copy link
Member Author

rgbkrk commented Jan 23, 2014

Yeah, I'll override open.

rgbkrk added 4 commits Jan 23, 2014
@ghost ghost assigned ellisonbg Jan 23, 2014
@damianavila
Copy link
Member

damianavila commented Jan 25, 2014

AFAIK, LGTM 😉

minrk added a commit that referenced this pull request Jan 31, 2014
Add Origin checking for websockets.
@minrk minrk merged commit e5b669c into ipython:master Jan 31, 2014
1 check passed
1 check passed
default The Travis CI build passed
Details
minrk added a commit that referenced this pull request Jan 31, 2014
pankajp added a commit to pankajp/ipython that referenced this pull request Feb 19, 2014
@rgbkrk rgbkrk deleted the rgbkrk:origin_host branch May 8, 2014
mattvonrocketstein pushed a commit to mattvonrocketstein/ipython that referenced this pull request Nov 3, 2014
Add Origin checking for websockets.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.