tornado websocket 实现的时候,调用可能出现403的错误,
这个是tornado 4.0增加的特性,如果想允许所有的访问,
针对websocket处理类重写同源检查的方法:
class WebSocketHandler(tornado.websocket.WebSocketHandler):
def check_origin(self, origin):
return True
但是文档推荐自己根据cookie来针对性的开放,或者自己实现类似XSRF的保护
Override to enable support for allowing alternate origins.
The origin
argument is the value of the Origin
HTTP header, the url responsible for initiating this request. This method is not called for clients that do not send this header; such requests are always allowed (because all browsers that implement WebSockets support this header, and non-browser clients do not have the same cross-site security concerns).
Should return True to accept the request or False to reject it. By default, rejects all requests with an origin on a host other than this one.
This is a security protection against cross site scripting attacks on browsers, since WebSockets are allowed to bypass the usual same-origin policies and don’t use CORS headers.
Warning
This is an important security measure; don’t disable it without understanding the security implications. In particular, if your authentication is cookie-based, you must either restrict the origins allowed by check_origin()
or implement your own XSRF-like protection for websocket connections. See these articles for more.