author | David Douard <david.douard@logilab.fr> |
Tue, 19 Jul 2016 15:59:02 +0200 | |
branch | 3.20 |
changeset 11403 | b0dffe713b2b |
parent 10002 | 586d0e527052 |
child 10588 | fdaa0e4b7eaf |
permissions | -rw-r--r-- |
9571
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
1 |
# -*- coding: utf-8 -*- |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
2 |
# copyright 2014 Logilab, PARIS |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
3 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
4 |
"""A set of utility functions to handle CORS requests |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
5 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
6 |
Unless specified, all references in this file are related to: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
7 |
http://www.w3.org/TR/cors |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
8 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
9 |
The provided implementation roughly follows: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
10 |
http://www.html5rocks.com/static/images/cors_server_flowchart.png |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
11 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
12 |
See also: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
13 |
https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
14 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
15 |
""" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
16 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
17 |
import urlparse |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
18 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
19 |
from cubicweb.web import LOGGER |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
20 |
info = LOGGER.info |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
21 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
22 |
class CORSFailed(Exception): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
23 |
"""Raised when cross origin resource sharing checks failed""" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
24 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
25 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
26 |
class CORSPreflight(Exception): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
27 |
"""Raised when cross origin resource sharing checks detects the |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
28 |
request as a valid preflight request""" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
29 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
30 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
31 |
def process_request(req, config): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
32 |
""" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
33 |
Process a request to apply CORS specification algorithms |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
34 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
35 |
Check whether the CORS specification is respected and set corresponding |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
36 |
headers to ensure response complies with the specification. |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
37 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
38 |
In case of non-compliance, no CORS-related header is set. |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
39 |
""" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
40 |
base_url = urlparse.urlsplit(req.base_url()) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
41 |
expected_host = '://'.join((base_url.scheme, base_url.netloc)) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
42 |
if not req.get_header('Origin') or req.get_header('Origin') == expected_host: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
43 |
# not a CORS request, nothing to do |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
44 |
return |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
45 |
try: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
46 |
# handle cross origin resource sharing (CORS) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
47 |
if req.http_method() == 'OPTIONS': |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
48 |
if req.get_header('Access-Control-Request-Method'): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
49 |
# preflight CORS request |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
50 |
process_preflight(req, config) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
51 |
else: # Simple CORS or actual request |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
52 |
process_simple(req, config) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
53 |
except CORSFailed, exc: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
54 |
info('Cross origin resource sharing failed: %s' % exc) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
55 |
except CORSPreflight: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
56 |
info('Cross origin resource sharing: valid Preflight request %s') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
57 |
raise |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
58 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
59 |
def process_preflight(req, config): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
60 |
"""cross origin resource sharing (preflight) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
61 |
Cf http://www.w3.org/TR/cors/#resource-preflight-requests |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
62 |
""" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
63 |
origin = check_origin(req, config) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
64 |
allowed_methods = set(config['access-control-allow-methods']) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
65 |
allowed_headers = set(config['access-control-allow-headers']) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
66 |
try: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
67 |
method = req.get_header('Access-Control-Request-Method') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
68 |
except ValueError: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
69 |
raise CORSFailed('Access-Control-Request-Method is incorrect') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
70 |
if method not in allowed_methods: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
71 |
raise CORSFailed('Method is not allowed') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
72 |
try: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
73 |
req.get_header('Access-Control-Request-Headers', ()) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
74 |
except ValueError: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
75 |
raise CORSFailed('Access-Control-Request-Headers is incorrect') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
76 |
req.set_header('Access-Control-Allow-Methods', allowed_methods, raw=False) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
77 |
req.set_header('Access-Control-Allow-Headers', allowed_headers, raw=False) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
78 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
79 |
process_common(req, config, origin) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
80 |
raise CORSPreflight() |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
81 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
82 |
def process_simple(req, config): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
83 |
"""Handle the Simple Cross-Origin Request case |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
84 |
""" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
85 |
origin = check_origin(req, config) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
86 |
exposed_headers = config['access-control-expose-headers'] |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
87 |
if exposed_headers: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
88 |
req.set_header('Access-Control-Expose-Headers', exposed_headers, raw=False) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
89 |
process_common(req, config, origin) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
90 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
91 |
def process_common(req, config, origin): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
92 |
req.set_header('Access-Control-Allow-Origin', origin) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
93 |
# in CW, we always support credential/authentication |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
94 |
req.set_header('Access-Control-Allow-Credentials', 'true') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
95 |
|
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
96 |
def check_origin(req, config): |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
97 |
origin = req.get_header('Origin').lower() |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
98 |
allowed_origins = config.get('access-control-allow-origin') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
99 |
if not allowed_origins: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
100 |
raise CORSFailed('access-control-allow-origin is not configured') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
101 |
if '*' not in allowed_origins and origin not in allowed_origins: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
102 |
raise CORSFailed('Origin is not allowed') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
103 |
# bit of sanity check; see "6.3 Security" |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
104 |
myhost = urlparse.urlsplit(req.base_url()).netloc |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
105 |
host = req.get_header('Host') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
106 |
if host != myhost: |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
107 |
info('cross origin resource sharing detected possible ' |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
108 |
'DNS rebinding attack Host header != host of base_url: ' |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
109 |
'%s != %s' % (host, myhost)) |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
110 |
raise CORSFailed('Host header and hostname do not match') |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
111 |
# include "Vary: Origin" header (see 6.4) |
10002
586d0e527052
[web/cors] don't overwrite other Vary headers
Julien Cristau <julien.cristau@logilab.fr>
parents:
9571
diff
changeset
|
112 |
req.headers_out.addHeader('Vary', 'Origin') |
9571
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
113 |
return origin |
aaf83cc07eed
[web] implement cross origin resource sharing (CORS) (closes #2491768)
Nicolas Chauvat <nicolas.chauvat@logilab.fr>
parents:
diff
changeset
|
114 |