New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Origin Checking. #4845
Add Origin Checking. #4845
Conversation
|
||
# Check to see that origin matches host directly, including ports | ||
if origin != host: | ||
self.log.critical("Cross Origin WebSocket Attempt.", exc_info=True) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably don't need exc_info=True, since there is no exception
@@ -17,6 +17,11 @@ | |||
#----------------------------------------------------------------------------- | |||
|
|||
try: | |||
from urllib.parse import urlparse |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd add a comment here indicating this is the py3 codepath. That way we'll know in the future and when we drop py2 compatibility, we can remove the py2 path.
origin = parsed_origin.netloc | ||
|
||
# Check to see that origin matches host directly, including ports | ||
if origin != host: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just need to check that Host and Origin are both affected in the same way by proxies / tunnels
def check_origin(self): | ||
"""Check origin from headers.""" | ||
origin_header = self.request.headers["Origin"] | ||
host = self.request.headers["Host"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably use get
, in the unlikely event these are undefined.
You mentioned moving the check to on_open in authenticated handler, did you still want to do that? |
Yeah, I'll override open. |
AFAIK, LGTM 😉 |
Add Origin checking for websockets.
Add Origin checking for websockets.
This verifies that requests originate from the same host that a notebook is run on.