HTTP: Apply allowed_origins to Websocket requests also.

2018-04-12 23:24:44 +01:00 · 2018-04-12 23:24:44 +01:00 · 51741a7cbc
commit 51741a7cbc
parent 7caba4a05d
3 changed files with 10 additions and 7 deletions
--- a/docs/ext/http.rst
+++ b/docs/ext/http.rst
@ -102,8 +102,9 @@ See :ref:`config` for general help on configuring Mopidy.
 .. confval:: http/allowed_origins

    A list of domains allowed to perform Cross-Origin Resource Sharing (CORS)
-    requests. Values should be in the format ``hostname:port`` and separated
-    by either a comma or newline.
+    requests. This applies to both JSON-RPC and Websocket requests. Values
+    should be in the format ``hostname:port`` and separated by either a comma or
+    newline.
    
    If you want to access Mopidy's web server from a different web server, you
    will need to add an entry for that server in this list.
--- a/mopidy/http/handlers.py
+++ b/mopidy/http/handlers.py
@ -26,6 +26,7 @@ def make_mopidy_app_factory(apps, statics):
        return [
            (r'/ws/?', WebSocketHandler, {
                'core': core,
+                'allowed_origins': allowed_origins,
            }),
            (r'/rpc', JsonRpcHandler, {
                'core': core,
@ -101,8 +102,9 @@ class WebSocketHandler(tornado.websocket.WebSocketHandler):
            # One callback per client to keep time we hold up the loop short
            loop.add_callback(functools.partial(_send_broadcast, client, msg))

-    def initialize(self, core):
+    def initialize(self, core, allowed_origins):
        self.jsonrpc = make_jsonrpc_wrapper(core)
+        self.allowed_origins = allowed_origins

    def open(self):
        self.set_nodelay(True)
@ -137,9 +139,7 @@ class WebSocketHandler(tornado.websocket.WebSocketHandler):
            self.close()

    def check_origin(self, origin):
-        # Allow cross-origin WebSocket connections, like Tornado before 4.0
-        # defaulted to.
-        return True
+        return check_origin(origin, self.request.headers, self.allowed_origins)


 def set_mopidy_headers(request_handler):
--- a/tests/http/test_handlers.py
+++ b/tests/http/test_handlers.py
@ -46,7 +46,9 @@ class WebSocketHandlerTest(tornado.testing.AsyncHTTPTestCase):
    def get_app(self):
        self.core = mock.Mock()
        return tornado.web.Application([
-            (r'/ws/?', handlers.WebSocketHandler, {'core': self.core})
+            (r'/ws/?', handlers.WebSocketHandler, {
+                'core': self.core, 'allowed_origins': []
+            })
        ])

    def connection(self):