tornado 403 GET warning when opening websocket

please add

def check_origin(self, origin):    return True

in class MyHandler like this

class MyHandler(tornado.websocket.WebSocketHandler):    def check_origin(self, origin):        return True    def open(self):        print "connection opened"        self.write_message("connection opened")    def on_close(self):        print "connection closed"    def on_message(self,message):        print "Message received: {}".format(message)        self.write_message("message received")

From the DOCs:

By default, [check_origin] rejects all requests with an origin on a host other than this one.

This is a security protection against cross site scripting attacks on browsers, since WebSockets are allowed to bypass the usual same-origin policies and don’t use CORS headers.

And again:

This is an important security measure; don’t disable it without understanding the security implications. In particular, if your authentication is cookie-based, you must either restrict the origins allowed by check_origin() or implement your own XSRF-like protection for websocket connections. See these articles for more.

Link.

Don't just set return True on check_origin() because it's a security threat, use a list of allowed domains instead, i.e.:

def check_origin(self, origin):    allowed = ["https://site1.tld", "https://site2.tld"]    if origin in allowed:        print("allowed", origin)        return 1

Slightly modified @maxhawkdown's solution.

from tornado.util import PY3if PY3:    from urllib.parse import urlparse  # py2    xrange = rangeelse:    from urlparse import urlparse  # py3class ChatHandler(tornado.websocket.WebSocketHandler):    CORS_ORIGINS = ['localhost']    def check_origin(self, origin):        parsed_origin = urlparse(origin)        # parsed_origin.netloc.lower() gives localhost:3333        return parsed_origin.hostname in self.CORS_ORIGINS