HTTP: Apply allowed_origins to Websocket requests also.

mopidy · Apr 12, 2018 · 30fa15c · 30fa15c
1 parent dec0037
commit 30fa15c
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 7 deletions.
diff --git a/docs/ext/http.rst b/docs/ext/http.rst
@@ -102,8 +102,9 @@ See :ref:`config` for general help on configuring Mopidy.
 .. confval:: http/allowed_origins
 
     A list of domains allowed to perform Cross-Origin Resource Sharing (CORS)
-    requests. Values should be in the format ``hostname:port`` and separated
-    by either a comma or newline.
+    requests. This list applies to both JSON-RPC and Websocket requests. Values
+    should be in the format ``hostname:port`` and separated by either a comma or
+    newline.
 
     If you want to access Mopidy's web server from a different web server, you
     will need to add an entry for that server in this list.
diff --git a/mopidy/http/handlers.py b/mopidy/http/handlers.py
@@ -26,6 +26,7 @@ def mopidy_app_factory(config, core):
         return [
             (r'/ws/?', WebSocketHandler, {
                 'core': core,
+                'allowed_origins': allowed_origins,
             }),
             (r'/rpc', JsonRpcHandler, {
                 'core': core,
@@ -101,8 +102,9 @@ def broadcast(cls, msg):
             # One callback per client to keep time we hold up the loop short
             loop.add_callback(functools.partial(_send_broadcast, client, msg))
 
-    def initialize(self, core):
+    def initialize(self, core, allowed_origins):
         self.jsonrpc = make_jsonrpc_wrapper(core)
+        self.allowed_origins = allowed_origins
 
     def open(self):
         self.set_nodelay(True)
@@ -137,9 +139,7 @@ def on_message(self, message):
             self.close()
 
     def check_origin(self, origin):
-        # Allow cross-origin WebSocket connections, like Tornado before 4.0
-        # defaulted to.
-        return True
+        return check_origin(origin, self.request.headers, self.allowed_origins)
 
 
 def set_mopidy_headers(request_handler):

diff --git a/tests/http/test_handlers.py b/tests/http/test_handlers.py
@@ -48,7 +48,9 @@ class WebSocketHandlerTest(tornado.testing.AsyncHTTPTestCase):
         def get_app(self):
             self.core = mock.Mock()
             return tornado.web.Application([
-                (r'/ws/?', handlers.WebSocketHandler, {'core': self.core})
+                (r'/ws/?', handlers.WebSocketHandler, {
+                    'core': self.core, 'allowed_origins': []
+                })
             ])
 
         def connection(self):