From c03ef52ba85648e920d84f6c8cedea35b2fec201 Mon Sep 17 00:00:00 2001 From: CasperVerswijvelt Date: Fri, 2 Apr 2021 21:21:24 +0200 Subject: [PATCH] Fix pixel request from not allowed origin triggering a hit --- shynet/analytics/views/ingress.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shynet/analytics/views/ingress.py b/shynet/analytics/views/ingress.py index 9a5107b..538f1e6 100644 --- a/shynet/analytics/views/ingress.py +++ b/shynet/analytics/views/ingress.py @@ -54,7 +54,7 @@ class ValidateServiceOriginsMixin: origins = service.origins cache.set(f"service_origins_{service_uuid}", origins, timeout=3600) - resp = super().dispatch(request, *args, **kwargs) + allow_origin = "*" if origins != "*": remote_origin = request.META.get("HTTP_ORIGIN") @@ -66,12 +66,12 @@ class ValidateServiceOriginsMixin: remote_origin = f"{parsed.scheme}://{parsed.netloc}".lower() origins = [origin.strip().lower() for origin in origins.split(",")] if remote_origin in origins: - resp["Access-Control-Allow-Origin"] = remote_origin + allow_origin = remote_origin else: return HttpResponseForbidden() - else: - resp["Access-Control-Allow-Origin"] = "*" + resp = super().dispatch(request, *args, **kwargs) + resp["Access-Control-Allow-Origin"] = allow_origin resp["Access-Control-Allow-Methods"] = "GET,HEAD,OPTIONS,POST" resp[ "Access-Control-Allow-Headers"