From 7296c7df1a14be669385e2144cfe71a3060c9c6f Mon Sep 17 00:00:00 2001
From: Lex Berezhny <lex@damoti.com>
Date: Wed, 3 Jun 2020 14:19:16 -0400
Subject: [PATCH] Origin: null no longer allowed

---
 lbry/extras/daemon/security.py                   | 10 ++++++----
 tests/unit/lbrynet_daemon/test_allowed_origin.py |  7 +++----
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/lbry/extras/daemon/security.py b/lbry/extras/daemon/security.py
index 80fe0ea93..c6ecde6d8 100644
--- a/lbry/extras/daemon/security.py
+++ b/lbry/extras/daemon/security.py
@@ -23,7 +23,9 @@ def ensure_request_allowed(request, conf):
 
 
 def is_request_allowed(request, conf) -> bool:
-    origin = request.headers.get('Origin', 'null')
-    if origin == 'null' or conf.allowed_origin in ('*', origin):
-        return True
-    return False
+    origin = request.headers.get('Origin')
+    return (
+        origin is None or
+        origin == conf.allowed_origin or
+        conf.allowed_origin == '*'
+    )
diff --git a/tests/unit/lbrynet_daemon/test_allowed_origin.py b/tests/unit/lbrynet_daemon/test_allowed_origin.py
index 531863ce4..230210202 100644
--- a/tests/unit/lbrynet_daemon/test_allowed_origin.py
+++ b/tests/unit/lbrynet_daemon/test_allowed_origin.py
@@ -12,11 +12,10 @@ class TestAllowedOrigin(unittest.TestCase):
 
     def test_allowed_origin_default(self):
         conf = Config()
-        # no Origin is always allowed
+        # lack of Origin is always allowed
         self.assertTrue(allowed(request('GET', '/'), conf))
-        # some clients send Origin: null (eg, https://github.com/electron/electron/issues/7931)
-        self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         # deny all other Origins
+        self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
         self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
 
@@ -32,8 +31,8 @@ class TestAllowedOrigin(unittest.TestCase):
         conf = Config(allowed_origin='localhost')
         # no origin and only localhost are allowed
         self.assertTrue(allowed(request('GET', '/'), conf))
-        self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         self.assertTrue(allowed(request('GET', '/', headers={'Origin': 'localhost'}), conf))
+        self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'null'}), conf))
         self.assertFalse(allowed(request('GET', '/', headers={'Origin': 'hackers.com'}), conf))
 
     def test_ensure_default(self):