diff --git a/IPython/frontend/html/notebook/handlers.py b/IPython/frontend/html/notebook/handlers.py
index 3542346..077dc97 100644
--- a/IPython/frontend/html/notebook/handlers.py
+++ b/IPython/frontend/html/notebook/handlers.py
@@ -16,6 +16,11 @@ Authors:
# Imports
#-----------------------------------------------------------------------------
+try:
+ from urllib.parse import urlparse # Py 3
+except ImportError:
+ from urlparse import urlparse # Py 2
+
import logging
import Cookie
import time
@@ -369,6 +374,30 @@ class KernelActionHandler(AuthenticatedHandler):
class ZMQStreamHandler(websocket.WebSocketHandler):
+ def same_origin(self):
+ """Check to see that origin and host match in the headers."""
+
+ # The difference between version 8 and 13 is that in 8 the
+ # client sends a "Sec-Websocket-Origin" header and in 13 it's
+ # simply "Origin".
+ if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"):
+ origin_header = self.request.headers.get("Sec-Websocket-Origin")
+ else:
+ origin_header = self.request.headers.get("Origin")
+
+ host = self.request.headers.get("Host")
+
+ # If no header is provided, assume we can't verify origin
+ if(origin_header is None or host is None):
+ return False
+
+ parsed_origin = urlparse(origin_header)
+ origin = parsed_origin.netloc
+
+ # Check to see that origin matches host directly, including ports
+ return origin == host
+
+
def _reserialize_reply(self, msg_list):
"""Reserialize a reply message using JSON.
@@ -410,6 +439,11 @@ class ZMQStreamHandler(websocket.WebSocketHandler):
class AuthenticatedZMQStreamHandler(ZMQStreamHandler):
def open(self, kernel_id):
+ # Check to see that origin matches host directly, including ports
+ if not self.same_origin():
+ self.log.warn("Cross Origin WebSocket Attempt.")
+ raise web.HTTPError(404)
+
self.kernel_id = kernel_id.decode('ascii')
try:
cfg = self.application.ipython_app.config