theluyuan/shynet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix pixel request from not allowed origin triggering a hit

Browse Source
This commit is contained in:
CasperVerswijvelt 2021-04-02 21:21:24 +02:00
parent 9cb030ecbd
commit c03ef52ba8
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
shynet/analytics/views/ingress.py
View File

@ -54,7 +54,7 @@ class ValidateServiceOriginsMixin:
origins = service.origins origins = service.origins
cache.set(f"service_origins_{service_uuid}", origins, timeout=3600) cache.set(f"service_origins_{service_uuid}", origins, timeout=3600)
resp = super().dispatch(request, *args, **kwargs) allow_origin = "*"
if origins != "*": if origins != "*":
remote_origin = request.META.get("HTTP_ORIGIN") remote_origin = request.META.get("HTTP_ORIGIN")
@ -66,12 +66,12 @@ class ValidateServiceOriginsMixin:
remote_origin = f"{parsed.scheme}://{parsed.netloc}".lower() remote_origin = f"{parsed.scheme}://{parsed.netloc}".lower()
origins = [origin.strip().lower() for origin in origins.split(",")] origins = [origin.strip().lower() for origin in origins.split(",")]
if remote_origin in origins: if remote_origin in origins:
resp["Access-Control-Allow-Origin"] = remote_origin allow_origin = remote_origin
else: else:
return HttpResponseForbidden() return HttpResponseForbidden()
else:
resp["Access-Control-Allow-Origin"] = "*"
resp = super().dispatch(request, *args, **kwargs)
resp["Access-Control-Allow-Origin"] = allow_origin
resp["Access-Control-Allow-Methods"] = "GET,HEAD,OPTIONS,POST" resp["Access-Control-Allow-Methods"] = "GET,HEAD,OPTIONS,POST"
resp[ resp[
"Access-Control-Allow-Headers" "Access-Control-Allow-Headers"