tornado 403 GET warning when opening websocket
Slightly modified @maxhawkdown's solution.
from tornado.util import PY3
if PY3:
from urllib.parse import urlparse # py2
xrange = range
else:
from urlparse import urlparse # py3
class ChatHandler(tornado.websocket.WebSocketHandler):
CORS_ORIGINS = ['localhost']
def check_origin(self, origin):
parsed_origin = urlparse(origin)
# parsed_origin.netloc.lower() gives localhost:3333
return parsed_origin.hostname in self.CORS_ORIGINS
Don't just set return True
on check_origin()
because it's a security threat, use a list of allowed domains instead, i.e.:
def check_origin(self, origin):
allowed = ["https://site1.tld", "https://site2.tld"]
if origin in allowed:
print("allowed", origin)
return 1
please add
def check_origin(self, origin):
return True
in class MyHandler like this
class MyHandler(tornado.websocket.WebSocketHandler):
def check_origin(self, origin):
return True
def open(self):
print "connection opened"
self.write_message("connection opened")
def on_close(self):
print "connection closed"
def on_message(self,message):
print "Message received: {}".format(message)
self.write_message("message received")
From the DOCs:
By default, [check_origin] rejects all requests with an origin on a host other than this one.
This is a security protection against cross site scripting attacks on browsers, since WebSockets are allowed to bypass the usual same-origin policies and don’t use CORS headers.
And again:
This is an important security measure; don’t disable it without understanding the security implications. In particular, if your authentication is cookie-based, you must either restrict the origins allowed by check_origin() or implement your own XSRF-like protection for websocket connections. See these articles for more.
Link.