Merge branch 'hotfix/origin-fallback'

This commit is contained in:
Martin Zimmermann 2014-03-29 13:13:26 +01:00
commit 3fc52b94b9
5 changed files with 37 additions and 26 deletions

View File

@ -41,7 +41,7 @@ session key and hostname. Here are the default values for this section:
[general] [general]
dbpath = /tmp/isso.db dbpath = /tmp/isso.db
name = name =
host = http://localhost:8080/ host =
max-age = 15m max-age = 15m
notify = notify =
@ -54,21 +54,22 @@ name
not used otherwise. not used otherwise.
host host
URL to your website. When you start Isso, it will probe your website with Your website(s). If Isso is unable to connect to at least on site, you'll
a simple ``GET /`` request to see if it can reach the webserver. If this get a warning during startup and comments are most likely non-functional.
fails, Isso may not be able check if a web page exists, thus fails to
accept new comments.
You can supply more than one host: You'll need at least one host/website to run Isso. This is due to security
reasons: Isso uses CORS_ to embed comments and to restrict comments only to
your website, you have to "whitelist" your website(s).
I recommend the first value to be a non-SSL website that is used as fallback
if Firefox users (and only those) supress their HTTP referer completely.
.. code-block:: ini .. code-block:: ini
[general] [general]
host = host =
http://localhost/ http://example.tld/
https://localhost/ https://example.tld/
This is useful, when your website is available on HTTP and HTTPS.
max-age max-age
time range that allows users to edit/remove their own comments. See time range that allows users to edit/remove their own comments. See
@ -79,6 +80,9 @@ notify
is available. is available.
.. _CORS: https://developer.mozilla.org/en/docs/HTTP/Access_control_CORS
Moderation Moderation
---------- ----------

View File

@ -25,13 +25,12 @@ class CORSTest(unittest.TestCase):
origin=origin([ origin=origin([
"https://example.tld/", "https://example.tld/",
"http://example.tld/", "http://example.tld/",
"http://example.tld",
]), ]),
allowed=("Foo", "Bar"), exposed=("Spam", )) allowed=("Foo", "Bar"), exposed=("Spam", ))
client = Client(app, Response) client = Client(app, Response)
rv = client.get("/", headers={"ORIGIN": "https://example.tld"}) rv = client.get("/", headers={"Origin": "https://example.tld"})
self.assertEqual(rv.headers["Access-Control-Allow-Origin"], "https://example.tld") self.assertEqual(rv.headers["Access-Control-Allow-Origin"], "https://example.tld")
self.assertEqual(rv.headers["Access-Control-Allow-Credentials"], "true") self.assertEqual(rv.headers["Access-Control-Allow-Credentials"], "true")
@ -39,13 +38,13 @@ class CORSTest(unittest.TestCase):
self.assertEqual(rv.headers["Access-Control-Allow-Headers"], "Foo, Bar") self.assertEqual(rv.headers["Access-Control-Allow-Headers"], "Foo, Bar")
self.assertEqual(rv.headers["Access-Control-Expose-Headers"], "Spam") self.assertEqual(rv.headers["Access-Control-Expose-Headers"], "Spam")
a = client.get("/", headers={"ORIGIN": "http://example.tld"}) a = client.get("/", headers={"Origin": "http://example.tld"})
self.assertEqual(a.headers["Access-Control-Allow-Origin"], "http://example.tld") self.assertEqual(a.headers["Access-Control-Allow-Origin"], "http://example.tld")
b = client.get("/", headers={"ORIGIN": "http://example.tld"}) b = client.get("/", headers={"Origin": "http://example.tld"})
self.assertEqual(b.headers["Access-Control-Allow-Origin"], "http://example.tld") self.assertEqual(b.headers["Access-Control-Allow-Origin"], "http://example.tld")
c = client.get("/", headers={"ORIGIN": "http://foo.other"}) c = client.get("/", headers={"Origin": "http://foo.other"})
self.assertEqual(c.headers["Access-Control-Allow-Origin"], "https://example.tld") self.assertEqual(c.headers["Access-Control-Allow-Origin"], "https://example.tld")
@ -55,7 +54,7 @@ class CORSTest(unittest.TestCase):
allowed=("Foo", ), exposed=("Bar", )) allowed=("Foo", ), exposed=("Bar", ))
client = Client(app, Response) client = Client(app, Response)
rv = client.open(method="OPTIONS", path="/", headers={"ORIGIN": "http://example.tld"}) rv = client.open(method="OPTIONS", path="/", headers={"Origin": "http://example.tld"})
self.assertEqual(rv.status_code, 200) self.assertEqual(rv.status_code, 200)
for hdr in ("Origin", "Headers", "Credentials", "Methods"): for hdr in ("Origin", "Headers", "Credentials", "Methods"):

View File

@ -46,3 +46,4 @@ class TestWSGIUtilities(unittest.TestCase):
"http://foo.bar") "http://foo.bar")
self.assertEqual(origin({"HTTP_ORIGIN": "http://spam.baz"}), self.assertEqual(origin({"HTTP_ORIGIN": "http://spam.baz"}),
"http://foo.bar") "http://foo.bar")
self.assertEqual(origin({}), "http://foo.bar")

View File

@ -81,10 +81,13 @@ def origin(hosts):
def func(environ): def func(environ):
if not hosts:
return "http://invalid.local"
loc = environ.get("HTTP_ORIGIN", environ.get("HTTP_REFERER", None)) loc = environ.get("HTTP_ORIGIN", environ.get("HTTP_REFERER", None))
if not hosts or not loc: if loc is None:
return "http://invalid.local" return urljoin(*hosts[0])
for split in hosts: for split in hosts:
if urlsplit(loc) == split: if urlsplit(loc) == split:

View File

@ -10,14 +10,18 @@ dbpath = /tmp/comments.db
# required to dispatch multiple websites, not used otherwise. # required to dispatch multiple websites, not used otherwise.
name = name =
# URL to your website. When you start Isso, it will probe your website with a # Your website(s). If Isso is unable to connect to at least on site, you'll
# simple GET / request to see if it can reach the webserver. If this fails, Isso # get a warning during startup and comments are most likely non-functional.
# may not be able check if a web page exists, thus fails to accept new comments. #
# You can supply more than one host: # You'll need at least one host/website to run Isso. This is due to security
# host = # reasons: Isso uses CORS_ to embed comments and to restrict comments only to
# http://localhost/ # your website, you have to "whitelist" your website(s).
# https://localhost/ #
host = http://localhost/ # I recommend the first value to be a non-SSL website that is used as fallback
# if Firefox users (and only those) supress their HTTP referer completely.
host =
http://example.tld/
https://example.tld/
# time range that allows users to edit/remove their own comments. # time range that allows users to edit/remove their own comments.
# It supports years, weeks, days, hours, minutes, seconds. # It supports years, weeks, days, hours, minutes, seconds.