Source code for intranet.middleware.same_origin
import urllib.parse
from django import http
[docs]
class SameOriginMiddleware:
"""
Blocks requests that set an "Origin" header that's different from the "Host" header
"""
[docs]
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
host = request.headers.get("host")
origin = request.headers.get("origin")
# Note: The "Origin" header is not sent on the main page request, so we need to explicitly
# handle it being None.
if origin is not None and urllib.parse.urlparse(origin).netloc != host:
return http.HttpResponse(status=401)
return self.get_response(request)