Mercurial Mercurial > pub > hg > cubicweb / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
web/cors.py
changeset 10603 65ad6980976e
parent 10588 fdaa0e4b7eaf
child 10907 9ae707db5265
equal deleted inserted replaced
10602:4845012cfc8e 10603:65ad6980976e 
    12 See also:
 
    12 See also:
 
    13   https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
 
    13   https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
 
    14 
    14 
    15 """
 
    15 """
 
    16 
    16 
    17 import urlparse
 
    17 from six.moves.urllib.parse import urlsplit
 
    18 
    18 
    19 from cubicweb.web import LOGGER
 
    19 from cubicweb.web import LOGGER
 
    20 info = LOGGER.info
 
    20 info = LOGGER.info
 
    21 
    21 
    22 class CORSFailed(Exception):
 
    22 class CORSFailed(Exception):
 
    35     Check whether the CORS specification is respected and set corresponding
 
    35     Check whether the CORS specification is respected and set corresponding
 
    36     headers to ensure response complies with the specification.
 
    36     headers to ensure response complies with the specification.
 
    37 
    37 
    38     In case of non-compliance, no CORS-related header is set.
 
    38     In case of non-compliance, no CORS-related header is set.
 
    39     """
 
    39     """
 
    40     base_url = urlparse.urlsplit(req.base_url())
 
    40     base_url = urlsplit(req.base_url())
 
    41     expected_host = '://'.join((base_url.scheme, base_url.netloc))
 
    41     expected_host = '://'.join((base_url.scheme, base_url.netloc))
 
    42     if not req.get_header('Origin') or req.get_header('Origin') == expected_host:
 
    42     if not req.get_header('Origin') or req.get_header('Origin') == expected_host:
 
    43         # not a CORS request, nothing to do
 
    43         # not a CORS request, nothing to do
 
    44         return
 
    44         return
 
    45     try:
 
    45     try:
 
    99     if not allowed_origins:
 
    99     if not allowed_origins:
 
   100         raise CORSFailed('access-control-allow-origin is not configured')
 
   100         raise CORSFailed('access-control-allow-origin is not configured')
 
   101     if '*' not in allowed_origins and origin not in allowed_origins:
 
   101     if '*' not in allowed_origins and origin not in allowed_origins:
 
   102         raise CORSFailed('Origin is not allowed')
 
   102         raise CORSFailed('Origin is not allowed')
 
   103     # bit of sanity check; see "6.3 Security"
 
   103     # bit of sanity check; see "6.3 Security"
 
   104     myhost = urlparse.urlsplit(req.base_url()).netloc
 
   104     myhost = urlsplit(req.base_url()).netloc
 
   105     host = req.get_header('Host')
 
   105     host = req.get_header('Host')
 
   106     if host != myhost:
 
   106     if host != myhost:
 
   107         info('cross origin resource sharing detected possible '
 
   107         info('cross origin resource sharing detected possible '
 
   108              'DNS rebinding attack Host header != host of base_url: '
 
   108              'DNS rebinding attack Host header != host of base_url: '
 
   109              '%s != %s' % (host, myhost))
 
   109              '%s != %s' % (host, myhost))
cubicweb