equal
deleted
inserted
replaced
12 See also: |
12 See also: |
13 https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS |
13 https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS |
14 |
14 |
15 """ |
15 """ |
16 |
16 |
17 import urlparse |
17 from six.moves.urllib.parse import urlsplit |
18 |
18 |
19 from cubicweb.web import LOGGER |
19 from cubicweb.web import LOGGER |
20 info = LOGGER.info |
20 info = LOGGER.info |
21 |
21 |
22 class CORSFailed(Exception): |
22 class CORSFailed(Exception): |
35 Check whether the CORS specification is respected and set corresponding |
35 Check whether the CORS specification is respected and set corresponding |
36 headers to ensure response complies with the specification. |
36 headers to ensure response complies with the specification. |
37 |
37 |
38 In case of non-compliance, no CORS-related header is set. |
38 In case of non-compliance, no CORS-related header is set. |
39 """ |
39 """ |
40 base_url = urlparse.urlsplit(req.base_url()) |
40 base_url = urlsplit(req.base_url()) |
41 expected_host = '://'.join((base_url.scheme, base_url.netloc)) |
41 expected_host = '://'.join((base_url.scheme, base_url.netloc)) |
42 if not req.get_header('Origin') or req.get_header('Origin') == expected_host: |
42 if not req.get_header('Origin') or req.get_header('Origin') == expected_host: |
43 # not a CORS request, nothing to do |
43 # not a CORS request, nothing to do |
44 return |
44 return |
45 try: |
45 try: |
99 if not allowed_origins: |
99 if not allowed_origins: |
100 raise CORSFailed('access-control-allow-origin is not configured') |
100 raise CORSFailed('access-control-allow-origin is not configured') |
101 if '*' not in allowed_origins and origin not in allowed_origins: |
101 if '*' not in allowed_origins and origin not in allowed_origins: |
102 raise CORSFailed('Origin is not allowed') |
102 raise CORSFailed('Origin is not allowed') |
103 # bit of sanity check; see "6.3 Security" |
103 # bit of sanity check; see "6.3 Security" |
104 myhost = urlparse.urlsplit(req.base_url()).netloc |
104 myhost = urlsplit(req.base_url()).netloc |
105 host = req.get_header('Host') |
105 host = req.get_header('Host') |
106 if host != myhost: |
106 if host != myhost: |
107 info('cross origin resource sharing detected possible ' |
107 info('cross origin resource sharing detected possible ' |
108 'DNS rebinding attack Host header != host of base_url: ' |
108 'DNS rebinding attack Host header != host of base_url: ' |
109 '%s != %s' % (host, myhost)) |
109 '%s != %s' % (host, myhost)) |