258 |
258 |
from . import cors
|
259 |
259 |
@wraps(func)
|
260 |
260 |
def f(request, *args, **kwargs):
|
|
261 |
jsonp = False
|
|
262 |
# Differentiate JSONP from AJAX
|
|
263 |
if request.method == 'GET':
|
|
264 |
for variable in ('jsonpCallback', 'callback'):
|
|
265 |
if variable in request.GET:
|
|
266 |
identifier = request.GET[variable]
|
|
267 |
if not re.match(r'^[$a-zA-Z_][0-9a-zA-Z_$]*$', identifier):
|
|
268 |
return HttpResponseBadRequest('invalid JSONP callback name')
|
|
269 |
jsonp = True
|
|
270 |
break
|
261 |
271 |
# 1. check origin
|
262 |
|
origin = request.META.get('HTTP_ORIGIN')
|
263 |
|
if origin is None:
|
|
272 |
if jsonp:
|
264 |
273 |
origin = request.META.get('HTTP_REFERER')
|
|
274 |
if not origin:
|
|
275 |
# JSONP is unusable for people without referers
|
|
276 |
return HttpResponseForbidden('bad origin')
|
|
277 |
origin = cors.make_origin(origin)
|
|
278 |
if not cors.check_origin(request, origin):
|
|
279 |
return HttpResponseForbidden('bad origin')
|
|
280 |
else:
|
|
281 |
origin = request.META.get('HTTP_ORIGIN')
|
265 |
282 |
if origin:
|
266 |
|
origin = cors.make_origin(origin)
|
267 |
|
if not cors.check_origin(request, origin):
|
268 |
|
return HttpResponseForbidden('bad origin')
|
|
283 |
if not cors.check_origin(request, origin):
|
|
284 |
return HttpResponseForbidden('bad origin')
|
269 |
285 |
# 2. build response
|
270 |
286 |
result = func(request, *args, **kwargs)
|
271 |
287 |
json_str = json_dumps(result)
|
272 |
|
response = HttpResponse(content_type='application/json')
|
273 |
|
for variable in ('jsonpCallback', 'callback'):
|
274 |
|
if variable in request.GET:
|
275 |
|
identifier = request.GET[variable]
|
276 |
|
if not re.match(r'^[$a-zA-Z_][0-9a-zA-Z_$]*$', identifier):
|
277 |
|
return HttpResponseBadRequest('invalid JSONP callback name')
|
278 |
|
json_str = '%s(%s);' % (identifier, json_str)
|
279 |
|
break
|
|
288 |
if jsonp:
|
|
289 |
response = HttpResponse(content_type='application/javascript')
|
|
290 |
json_str = '%s(%s);' % (identifier, json_str)
|
280 |
291 |
else:
|
|
292 |
response = HttpResponse(content_type='application/json')
|
281 |
293 |
response['Access-Control-Allow-Origin'] = origin
|
282 |
294 |
response['Access-Control-Allow-Credentials'] = 'true'
|
283 |
295 |
response['Access-Control-Allow-Headers'] = 'x-requested-with'
|
284 |
|
-
|