handle allow_origin='*' in check_referrer

minrk · minrk · commit 067c3993f26e · 2020-12-14T14:27:42.000+01:00
allow_origin can be the wildcard '*' to allow any host

check_referer should match check_origin
diff --git a/notebook/base/handlers.py b/notebook/base/handlers.py
@@ -404,6 +404,10 @@ def check_referer(self):
         Used on GET for api endpoints and /files/
         to block cross-site inclusion (XSSI).
         """
+
+        if self.allow_origin == "*" or self.skip_check_origin():
+            return True
+
         host = self.request.headers.get("Host")
         referer = self.request.headers.get("Referer")
 
