tornado 403 GET warning when opening websocket
please add
def check_origin(self, origin): return True
in class MyHandler like this
class MyHandler(tornado.websocket.WebSocketHandler): def check_origin(self, origin): return True def open(self): print "connection opened" self.write_message("connection opened") def on_close(self): print "connection closed" def on_message(self,message): print "Message received: {}".format(message) self.write_message("message received")
From the DOCs:
By default, [check_origin] rejects all requests with an origin on a host other than this one.
This is a security protection against cross site scripting attacks on browsers, since WebSockets are allowed to bypass the usual same-origin policies and don’t use CORS headers.
And again:
This is an important security measure; don’t disable it without understanding the security implications. In particular, if your authentication is cookie-based, you must either restrict the origins allowed by check_origin() or implement your own XSRF-like protection for websocket connections. See these articles for more.
Link.
Don't just set return True
on check_origin()
because it's a security threat, use a list of allowed domains instead, i.e.:
def check_origin(self, origin): allowed = ["https://site1.tld", "https://site2.tld"] if origin in allowed: print("allowed", origin) return 1
Slightly modified @maxhawkdown's solution.
from tornado.util import PY3if PY3: from urllib.parse import urlparse # py2 xrange = rangeelse: from urlparse import urlparse # py3class ChatHandler(tornado.websocket.WebSocketHandler): CORS_ORIGINS = ['localhost'] def check_origin(self, origin): parsed_origin = urlparse(origin) # parsed_origin.netloc.lower() gives localhost:3333 return parsed_origin.hostname in self.CORS_ORIGINS