Skip to content

Commit

Permalink
Enforce origin checking on pixel trackers (indirectly fixes #65)
Browse files Browse the repository at this point in the history
  • Loading branch information
@milesmcc
milesmcc committed Aug 11, 2020
1 parent 2d42674 commit 3e315f0
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions shynet/analytics/views/ingress.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
from django.conf import settings
from django.core.cache import cache
from django.core.exceptions import ValidationError
from django.http import Http404, HttpResponse, HttpResponseBadRequest
from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseForbidden
from django.shortcuts import render, reverse
from django.utils import timezone
from django.utils.decorators import method_decorator
Expand Down Expand Up @@ -53,9 +53,14 @@ def dispatch(self, request, *args, **kwargs):

if origins != "*":
remote_origin = request.META.get("HTTP_ORIGIN")
origins = [origin.strip() for origin in origins.split(",")]
if remote_origin is None and request.META.get("HTTP_REFERER") is not None:
parsed = urlparse(request.META.get("HTTP_REFERER"))
remote_origin = f"{parsed.scheme}://{parsed.netloc}".lower()
origins = [origin.strip().lower() for origin in origins.split(",")]
if remote_origin in origins:
resp["Access-Control-Allow-Origin"] = remote_origin
else:
return HttpResponseForbidden()
else:
resp["Access-Control-Allow-Origin"] = "*"

Expand Down

0 comments on commit 3e315f0

Please sign in to comment.