Origin: null no longer allowed

lbry/extras/daemon/security.py

@@ -23,7 +23,9 @@ def ensure_request_allowed(request, conf):
 
 
 def is_request_allowed(request, conf) -> bool:
-    origin = request.headers.get('Origin', 'null')
-    if origin == 'null' or conf.allowed_origin in ('*', origin):
-        return True
-    return False
+    origin = request.headers.get('Origin')
+    return (
+        origin is None or
+        origin == conf.allowed_origin or
+        conf.allowed_origin == '*'
+    )

tests/unit/lbrynet_daemon/test_allowed_origin.py

@@ -12,11 +12,10 @@ class TestAllowedOrigin(unittest.TestCase):
 
     def test_allowed_origin_default(self):
         conf = Config()
-        # no Origin is always allowed
+        # lack of Origin is always allowed
         self.assertTrue(allowed(request('GET', '/'), conf))
-        # some clients send Origin: null (eg, https://github.com/electron/electron/issues/7931)
-        self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         # deny all other Origins
+        self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
         self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
 
@@ -32,8 +31,8 @@ class TestAllowedOrigin(unittest.TestCase):
         conf = Config(allowed_origin='localhost')
         # no origin and only localhost are allowed
         self.assertTrue(allowed(request('GET', '/'), conf))
-        self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
+        self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
 
     def test_ensure_default(self):