Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Origin Checking. #4845

Merged
merged 9 commits into from Jan 31, 2014
Merged

Add Origin Checking. #4845

merged 9 commits into from Jan 31, 2014

Conversation

rgbkrk
Copy link
Member

@rgbkrk rgbkrk commented Jan 21, 2014

This verifies that requests originate from the same host that a notebook is run on.


# Check to see that origin matches host directly, including ports
if origin != host:
self.log.critical("Cross Origin WebSocket Attempt.", exc_info=True)
Copy link
Member

@minrk minrk Jan 21, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably don't need exc_info=True, since there is no exception

@@ -17,6 +17,11 @@
#-----------------------------------------------------------------------------

try:
from urllib.parse import urlparse
Copy link
Member

@fperez fperez Jan 21, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add a comment here indicating this is the py3 codepath. That way we'll know in the future and when we drop py2 compatibility, we can remove the py2 path.

origin = parsed_origin.netloc

# Check to see that origin matches host directly, including ports
if origin != host:
Copy link
Member

@minrk minrk Jan 21, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just need to check that Host and Origin are both affected in the same way by proxies / tunnels

def check_origin(self):
"""Check origin from headers."""
origin_header = self.request.headers["Origin"]
host = self.request.headers["Host"]
Copy link
Member

@minrk minrk Jan 22, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably use get, in the unlikely event these are undefined.

@minrk
Copy link
Member

minrk commented Jan 22, 2014

You mentioned moving the check to on_open in authenticated handler, did you still want to do that?

@rgbkrk
Copy link
Member Author

rgbkrk commented Jan 23, 2014

Yeah, I'll override open.

@ghost ghost assigned ellisonbg Jan 23, 2014
@damianavila
Copy link
Member

damianavila commented Jan 25, 2014

AFAIK, LGTM 😉

minrk added a commit that referenced this issue Jan 31, 2014
Add Origin checking for websockets.
@minrk minrk merged commit e5b669c into ipython:master Jan 31, 2014
1 check passed
pankajp pushed a commit to pankajp/ipython that referenced this issue Feb 19, 2014
@rgbkrk rgbkrk deleted the origin_host branch May 8, 2014
mattvonrocketstein pushed a commit to mattvonrocketstein/ipython that referenced this issue Nov 3, 2014
Add Origin checking for websockets.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants