Source code for intranet.middleware.same_origin

import urllib.parse

from django import http



[docs]
class SameOriginMiddleware:
    """
    Blocks requests that set an "Origin" header that's different from the "Host" header
    """


[docs]
    def __init__(self, get_response):
        self.get_response = get_response


    def __call__(self, request):
        host = request.headers.get("host")
        origin = request.headers.get("origin")

        # Note: The "Origin" header is not sent on the main page request, so we need to explicitly
        # handle it being None.
        if origin is not None and urllib.parse.urlparse(origin).netloc != host:
            return http.HttpResponse(status=401)

        return self.get_response(request)