Fixed CORS handling of scheme proxy server header (Fixes miguelgrinbe…

…rg/Flask-SocketIO#1501)
miguelgrinberg · Apr 20, 2021 · fb47df6 · fb47df6
1 parent b84537a
commit fb47df6
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/engineio/server.py b/engineio/server.py
@@ -663,13 +663,15 @@ def _cors_allowed_origins(self, environ):
         if 'wsgi.url_scheme' in environ and 'HTTP_HOST' in environ:
             default_origins.append('{scheme}://{host}'.format(
                 scheme=environ['wsgi.url_scheme'], host=environ['HTTP_HOST']))
-            if 'HTTP_X_FORWARDED_HOST' in environ:
+            if 'HTTP_X_FORWARDED_PROTO' in environ or \
+                    'HTTP_X_FORWARDED_HOST' in environ:
                 scheme = environ.get(
                     'HTTP_X_FORWARDED_PROTO',
                     environ['wsgi.url_scheme']).split(',')[0].strip()
                 default_origins.append('{scheme}://{host}'.format(
-                    scheme=scheme, host=environ['HTTP_X_FORWARDED_HOST'].split(
-                        ',')[0].strip()))
+                    scheme=scheme, host=environ.get(
+                        'HTTP_X_FORWARDED_HOST', environ['HTTP_HOST']).split(
+                            ',')[0].strip()))
         if self.cors_allowed_origins is None:
             allowed_origins = default_origins
         elif self.cors_allowed_origins == '*':

diff --git a/tests/common/test_server.py b/tests/common/test_server.py
@@ -658,6 +658,22 @@ def test_connect_cors_headers_default_origin(self):
         assert ('Access-Control-Allow-Origin', 'http://foo') in headers
 
     def test_connect_cors_headers_default_origin_proxy_server(self):
+        s = server.Server()
+        environ = {
+            'REQUEST_METHOD': 'GET',
+            'QUERY_STRING': 'EIO=4',
+            'wsgi.url_scheme': 'http',
+            'HTTP_HOST': 'foo',
+            'HTTP_ORIGIN': 'https://foo',
+            'HTTP_X_FORWARDED_PROTO': 'https, ftp',
+        }
+        start_response = mock.MagicMock()
+        s.handle_request(environ, start_response)
+        assert start_response.call_args[0][0] == '200 OK'
+        headers = start_response.call_args[0][1]
+        assert ('Access-Control-Allow-Origin', 'https://foo') in headers
+
+    def test_connect_cors_headers_default_origin_proxy_server2(self):
         s = server.Server()
         environ = {
             'REQUEST_METHOD': 'GET',