improve Origin handling; forbind non-https origins in production

src/capport/api/views.py

@@ -101,16 +101,22 @@ def check_self_origin():
     if origin is None:
         # not a request by a modern browser - probably curl or something similar. don't care.
         return
+    origin = origin.lower().strip()
+    if origin == 'none':
+        quart.abort(403, 'Origin is none')
     origin_parts = origin.split('/')
-    # Origin should look like: protocol://hostname  (possibly a /path suffix?)
+    # Origin should look like: <scheme>://<hostname>  (optionally followed by :<port>)
     if len(origin_parts) < 3:
         quart.abort(400, 'Broken Origin header')
-    origin_host = origin_parts[2].lower()
+    if origin_parts[0] != 'https' and not app.my_config.debug:
+        # -> require https in production
+        quart.abort(403, 'Non-https Origin not allowed')
+    origin_host = origin_parts[2]
     host = quart.request.headers.get('Host', None)
     if host is None:
-        quart.abort(400, 'Missing Host header')
+        quart.abort(403, 'Missing Host header')
     if host.lower() != origin_host:
-        quart.abort(400, 'Origin mismatch')
+        quart.abort(403, 'Origin mismatch')
 
 
 @app.route('/', methods=['GET'])