Add test verifying Tornado rejects cross-origin WebSocket connections

scottshambaugh · scottshambaugh · commit dff28876bb1a · 2026-03-12T20:10:27.000-06:00
diff --git a/lib/matplotlib/tests/test_backend_webagg.py b/lib/matplotlib/tests/test_backend_webagg.py
@@ -53,3 +53,27 @@ def test_toolbar_button_dispatch_allowlist():
     canvas.handle_toolbar_button({'name': 'not_a_real_button'})
     # No methods should have been called.
     assert canvas.toolbar.method_calls == []
+
+
+@pytest.mark.parametrize("host, origin, allowed", [
+    ("localhost:8988", "http://localhost:8988", True),
+    ("localhost:8988", "http://evil.com", False),
+    ("localhost:8988", "http://127.0.0.1:8988", False),
+    ("localhost:8988", "http://[::1]:8988", False),
+    ("127.0.0.1:8988", "http://127.0.0.1:8988", True),
+    ("127.0.0.1:8988", "http://localhost:8988", False),
+    ("127.0.0.1:8988", "http://[::1]:8988", False),
+    ("[::1]:8988", "http://[::1]:8988", True),
+    ("[::1]:8988", "http://[::2]:8988", False),
+    ("[::1]:8988", "http://localhost:8988", False),
+    ("[::1]:8988", "http://evil.com", False),
+])
+def test_websocket_rejects_cross_origin(host, origin, allowed):
+    """Verify Tornado's default check_origin rejects cross-origin requests."""
+    pytest.importorskip("tornado")
+    from matplotlib.backends.backend_webagg import WebAggApplication
+
+    ws = WebAggApplication.WebSocket.__new__(WebAggApplication.WebSocket)
+    ws.request = MagicMock()
+    ws.request.headers = {"Host": host}
+    assert ws.check_origin(origin) is allowed
