s/cors_/allow_/

add notes about Tornado 4, and comments, updates per review

IPython/html/base/handlers.py

@@ -157,30 +157,30 @@ class IPythonHandler(AuthenticatedHandler):
     #---------------------------------------------------------------
     
     @property
-    def cors_origin(self):
+    def allow_origin(self):
         """Normal Access-Control-Allow-Origin"""
-        return self.settings.get('cors_origin', '')
+        return self.settings.get('allow_origin', '')
     
     @property
-    def cors_origin_pat(self):
+    def allow_origin_pat(self):
-        """Regular expression version of cors_origin"""
+        """Regular expression version of allow_origin"""
-        return self.settings.get('cors_origin_pat', None)
+        return self.settings.get('allow_origin_pat', None)
     
     @property
-    def cors_credentials(self):
+    def allow_credentials(self):
         """Whether to set Access-Control-Allow-Credentials"""
-        return self.settings.get('cors_credentials', False)
+        return self.settings.get('allow_credentials', False)
     
     def set_default_headers(self):
         """Add CORS headers, if defined"""
         super(IPythonHandler, self).set_default_headers()
-        if self.cors_origin:
+        if self.allow_origin:
-            self.set_header("Access-Control-Allow-Origin", self.cors_origin)
+            self.set_header("Access-Control-Allow-Origin", self.allow_origin)
-        elif self.cors_origin_pat:
+        elif self.allow_origin_pat:
             origin = self.get_origin()
-            if origin and self.cors_origin_pat.match(origin):
+            if origin and self.allow_origin_pat.match(origin):
                 self.set_header("Access-Control-Allow-Origin", origin)
-        if self.cors_credentials:
+        if self.allow_credentials:
             self.set_header("Access-Control-Allow-Credentials", 'true')
     
     def get_origin(self):

IPython/html/base/zmqhandlers.py

@@ -30,8 +30,12 @@ from .handlers import IPythonHandler
 class ZMQStreamHandler(websocket.WebSocketHandler):
     
     def check_origin(self, origin):
-        """Check Origin == Host or CORS origins."""
+        """Check Origin == Host or Access-Control-Allow-Origin.
-        if self.cors_origin == '*':
+        
+        Tornado >= 4 calls this method automatically, raising 403 if it returns False.
+        We call it explicitly in `open` on Tornado < 4.
+        """
+        if self.allow_origin == '*':
             return True
 
         host = self.request.headers.get("Host")
@@ -47,15 +51,12 @@ class ZMQStreamHandler(websocket.WebSocketHandler):
             return True
         
         # Check CORS headers
-        if self.cors_origin:
+        if self.allow_origin:
-            if self.cors_origin == '*':
+            return self.allow_origin == origin
-                return True
+        elif self.allow_origin_pat:
-            else:
+            return bool(self.allow_origin_pat.match(origin))
-                return self.cors_origin == origin
-        elif self.cors_origin_pat:
-            return bool(self.cors_origin_pat.match(origin))
         else:
-            # No CORS headers, deny the request
+            # No CORS headers deny the request
             return False
 
     def clear_cookie(self, *args, **kwargs):
@@ -117,8 +118,8 @@ class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
         # Tornado 4 already does CORS checking
         if tornado.version_info[0] < 4:
             if not self.check_origin(self.get_origin()):
-                self.log.warn("Cross Origin WebSocket Attempt.")
+                self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin())
-                raise web.HTTPError(404)
+                raise web.HTTPError(403)
 
         self.session = Session(config=self.config)
         self.save_on_message = self.on_message

IPython/html/notebookapp.py

@@ -336,16 +336,16 @@ class NotebookApp(BaseIPythonApplication):
 
     # Network related information
     
-    cors_origin = Unicode('', config=True,
+    allow_origin = Unicode('', config=True,
         help="""Set the Access-Control-Allow-Origin header
         
         Use '*' to allow any origin to access your server.
         
-        Mutually exclusive with cors_origin_pat.
+        Takes precedence over allow_origin_pat.
         """
     )
     
-    cors_origin_pat = Unicode('', config=True,
+    allow_origin_pat = Unicode('', config=True,
         help="""Use a regular expression for the Access-Control-Allow-Origin header
         
         Requests from an origin matching the expression will get replies with:
@@ -354,11 +354,11 @@ class NotebookApp(BaseIPythonApplication):
         
         where `origin` is the origin of the request.
         
-        Mutually exclusive with cors_origin.
+        Ignored if allow_origin is set.
         """
     )
     
-    cors_credentials = Bool(False, config=True,
+    allow_credentials = Bool(False, config=True,
         help="Set the Access-Control-Allow-Credentials: true header"
     )
     
@@ -649,9 +649,9 @@ class NotebookApp(BaseIPythonApplication):
     
     def init_webapp(self):
         """initialize tornado webapp and httpserver"""
-        self.webapp_settings['cors_origin'] = self.cors_origin
+        self.webapp_settings['allow_origin'] = self.allow_origin
-        self.webapp_settings['cors_origin_pat'] = re.compile(self.cors_origin_pat)
+        self.webapp_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
-        self.webapp_settings['cors_credentials'] = self.cors_credentials
+        self.webapp_settings['allow_credentials'] = self.allow_credentials
         
         self.web_app = NotebookWebApplication(
             self, self.kernel_manager, self.notebook_manager,