From 3e315f06edc71fa4eca7adf8e8197a708a5d5bb3 Mon Sep 17 00:00:00 2001 From: "R. Miles McCain" Date: Tue, 11 Aug 2020 21:56:20 +0000 Subject: [PATCH] Enforce origin checking on pixel trackers (indirectly fixes #65) --- shynet/analytics/views/ingress.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/shynet/analytics/views/ingress.py b/shynet/analytics/views/ingress.py index b7083e4..51e2343 100644 --- a/shynet/analytics/views/ingress.py +++ b/shynet/analytics/views/ingress.py @@ -5,7 +5,7 @@ from urllib.parse import urlparse from django.conf import settings from django.core.cache import cache from django.core.exceptions import ValidationError -from django.http import Http404, HttpResponse, HttpResponseBadRequest +from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseForbidden from django.shortcuts import render, reverse from django.utils import timezone from django.utils.decorators import method_decorator @@ -53,9 +53,14 @@ class ValidateServiceOriginsMixin: if origins != "*": remote_origin = request.META.get("HTTP_ORIGIN") - origins = [origin.strip() for origin in origins.split(",")] + if remote_origin is None and request.META.get("HTTP_REFERER") is not None: + parsed = urlparse(request.META.get("HTTP_REFERER")) + remote_origin = f"{parsed.scheme}://{parsed.netloc}".lower() + origins = [origin.strip().lower() for origin in origins.split(",")] if remote_origin in origins: resp["Access-Control-Allow-Origin"] = remote_origin + else: + return HttpResponseForbidden() else: resp["Access-Control-Allow-Origin"] = "*"