-
Notifications
You must be signed in to change notification settings - Fork 767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue691 allowed origins #693
Conversation
Current coverage is 59.99%@@ master #693 diff @@
==========================================
Files 66 66
Lines 10740 10854 +114
Methods 0 0
Messages 0 0
Branches 1643 1657 +14
==========================================
+ Hits 6366 6512 +146
+ Misses 3861 3799 -62
- Partials 513 543 +30
|
# assign websocket_origin as the triple (scheme, host, | ||
# port) but that would change what's in onConnect's | ||
# information (for .origin). Worth breaking the API for? | ||
if have_origin: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oberstet should we do either of the above XXX things? Or should I just change the comments?
IMO, treating the Origin as a triple is pretty much required by the RFC and to make things safe. |
For the "built in" checks, I believe I am treating it as a triple that must match -- my question is more regarding the API presented via Certainly the latter seems "more correct", but might not be worth breaking code. I guess a "third way" would be to add a new |
self.assertFalse(_is_same_origin('https://example.com:80/', 443, policy)) | ||
self.assertFalse(_is_same_origin('https://example.com/', 80, policy)) | ||
self.assertFalse(_is_same_origin('http://example.org/', 80, policy)) | ||
self.assertFalse(_is_same_origin('http://ietf.org/', 80, policy)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additional valid URIs, though i'm unsure if these would be possible to spoof into the Origin given any browser:
http://example.com./
//example.com/
http://@example.com
@oberstet what do you think of 671266f (comes with example code)? This allows the existing API to function while also allowing one to be explicit about ports. Perhaps I should also remove the explicit "scheme" check (in |
@meejah The pragmatic approach looks good to me. Filtering on origin in a way is snake oil anyway: a non-browser client can fake it. Could you squash the PR and merge? |
06966b1
to
20322ed
Compare
20322ed
to
2ef13a6
Compare
- Apply patch to correct allowedOrigin validation. See bz:1359792, bz:1359791 and crossbario/autobahn-python#693
Fixes for #691, allowed-origin checks.
(In-progress).