New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http: allow local files to access websocket (Fixes #1711) #1712

Merged
merged 1 commit into from Oct 8, 2018

Conversation

2 participants
@kingosticks
Member

kingosticks commented Oct 8, 2018

check_origin() still ensures the Origin header is set but now only blocks
when missing from the allowed list if a network location was extracted
from the header. This prevents websocket connections originating from
local files (common in Apache Cordova apps such as Mopidy-Mobile) from
being blocked; these files don't really have a sensible value for Origin
so the client browser sets the header to something like 'file://' or
'null'.

Also added some tests for check_origin().

@kingosticks kingosticks requested review from jodal and tkem Oct 8, 2018

@jodal

jodal approved these changes Oct 8, 2018

LGTM!

Please rebase on top of release/2.2 and add a 2.2.1 changelog entry.

@jodal jodal added this to the v2.2.1 milestone Oct 8, 2018

@kingosticks kingosticks changed the base branch from develop to release-2.2 Oct 8, 2018

@kingosticks kingosticks changed the base branch from release-2.2 to develop Oct 8, 2018

@kingosticks kingosticks force-pushed the kingosticks:fix/cors-breaking-changes branch from be416a6 to 0dcebdb Oct 8, 2018

@kingosticks kingosticks changed the base branch from develop to release-2.2 Oct 8, 2018

@kingosticks kingosticks force-pushed the kingosticks:fix/cors-breaking-changes branch from 0dcebdb to f89d347 Oct 8, 2018

http: allow local files to access websocket (Fixes #1711)
check_origin() still ensures the Origin header is set but now only blocks
when missing from the allowed list *if* a network location was extracted
from the header. This prevents websocket connections originating from
local files (common in Apache Cordova apps such as Mopidy-Mobile) from
being blocked; these files don't really have a sensible value for Origin
so the client browser sets the header to something like 'file://' or
'null'.

Also added some tests for check_origin().

@kingosticks kingosticks force-pushed the kingosticks:fix/cors-breaking-changes branch from f89d347 to 6e9ed9e Oct 8, 2018

@kingosticks

This comment has been minimized.

Member

kingosticks commented Oct 8, 2018

Got there in the end

@jodal jodal merged commit 9f7b347 into mopidy:release-2.2 Oct 8, 2018

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment