Allows users to disable CSRF protection and revert to the HTTP server's
previous (less secure) behaviour. Users are advised to leave this config
value enabled if possible. However, if disabled this will:
* Remove the requirement to set a ``Content-Type: application/json``
header for JSON-RPC POST requests.
* Disable all same-origin checks, effectively ignoring the ``allowed_origins``
config since requests from any origin will be allowed.
* Suppress all ``Access-Control-Allow-*`` response headers.
check_origin() still ensures the Origin header is set but now only blocks
when missing from the allowed list *if* a network location was extracted
from the header. This prevents websocket connections originating from
local files (common in Apache Cordova apps such as Mopidy-Mobile) from
being blocked; these files don't really have a sensible value for Origin
so the client browser sets the header to something like 'file://' or
'null'.
Also added some tests for check_origin().
Adds some WebSocketHandler tests that actually connect using a WS client and
plugs a potential race condition.
Any call to write_message could fail, either due to WebSocketClosedError like
in the log below, or simply due to socket errors. To play it safe we catch all
errors and debug log that a broadcast failed.
2015-02-26 21:24:02,266 ERROR [HttpServer] /home/adamcik/dev/mopidy/mopidy/http/handlers.py:116
mopidy.http.handlers WebSocket request error: deque index out of range
2015-02-26 21:24:10,098 ERROR [HttpFrontend-11] build/bdist.linux-x86_64/egg/pykka/actor.py:268
pykka Unhandled exception in HttpFrontend (urn:uuid:e376bd95-c32e-4e17-ad20-7d0b3c0cf2b2):
Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/pykka/actor.py", line 200, in _actor_loop
response = self._handle_receive(message)
File "build/bdist.linux-x86_64/egg/pykka/actor.py", line 294, in _handle_receive
return callee(*message['args'], **message['kwargs'])
File ".../dev/mopidy/mopidy/http/actor.py", line 77, in on_event
on_event(name, **data)
File ".../dev/mopidy/mopidy/http/actor.py", line 84, in on_event
handlers.WebSocketHandler.broadcast(message)
File ".../dev/mopidy/mopidy/http/handlers.py", line 78, in broadcast
client.write_message(msg)
File ".../dev/mopidy-virtualenv/local/lib/python2.7/site-packages/tornado/websocket.py", line 183, in write_message
raise WebSocketClosedError()
WebSocketClosedError
Builds upon #725 to:
- Remove extra config for Mopidy-HTTP Zeroconf service
- Refactor Zeroconf setup code in the HTTP frontend a bit
- Add documentation
