Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Tornado default WebSocket check_origin function #125

Merged
merged 3 commits into from
Jul 20, 2020
Merged

Use Tornado default WebSocket check_origin function #125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2af4964
Use Tornado default WebSocket check_origin function
Feb 26, 2020
a2ff234
Add changelog
Feb 26, 2020
f15cc72
Merge branch 'master' into prevent-cors-same-origin
hjoliver Jul 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,32 @@ all changes see the [closed
milestones](https://github.com/cylc/cylc-uiserver/milestones?state=closed) for
each release.

-------------------------------------------------------------------------------
## __cylc-uiserver-0.3 (2020-??-??)__

Release 0.3 of Cylc UI Server.

### Backward incompatible changes

None or N/A.

### Enhancements

[#125](https://github.com/cylc/cylc-uiserver/pull/125) - Use Tornado
default WebSocket check_origin function.

### Fixes

None.

### Documentation

None.

### Security issues

None.

-------------------------------------------------------------------------------
## __cylc-uiserver-0.2 (2020-07-14)__

Expand Down
3 changes: 0 additions & 3 deletions cylc/uiserver/handlers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,6 @@ async def recv(self):
def recv_nowait(self):
return self.queue.get_nowait()

def check_origin(self, origin: str) -> bool:
return True

@property
def context(self):
wider_context = {
Expand Down
26 changes: 24 additions & 2 deletions cylc/uiserver/tests/test_handlers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,31 @@ def test_websockets_subprotocol(self):
handler = self._create_handler()
assert handler.select_subprotocol(subprotocols=[]) == GRAPHQL_WS

def test_websockets_check_origin(self):
def test_websockets_check_origin_accepts_same_origin(self):
"""A request that includes the Host header must use the same
value as the server host, or an error is raised.

This prevents CORS attacks. In Cylc UI, it should work as we
expect the Host header to be set by the browser when you navigate
to the UI Server. Once your browser opens the WebSocket request
it should match the Host of the UI Server.
"""
handler = self._create_handler()
assert handler.check_origin(origin='')
host_header = 'ui.cylc'
handler.request.headers['Host'] = host_header
assert handler.check_origin(origin=f'http://{host_header}')

def test_websockets_check_origin_rejects_different_origin(self):
"""A request from a different Host MUST be blocked to prevent
CORS attacks.

This is the default after Tornado 4, and helps secure Cylc UI
WebSocket endpoint. Change this behavior carefully.
"""
handler = self._create_handler()
host_header = 'ui.cylc'
handler.request.headers['Host'] = host_header
assert not handler.check_origin(origin=f'http://ui.notcylc')

def test_websockets_context(self):
handler = self._create_handler()
Expand Down