When tornado websocket is implemented, there may be a 403 error in the call,
This is a feature added in tornado 4.0. If you want to allow all access,
The method of rewriting the same-origin check for the websocket processing class:
class WebSocketHandler(tornado.websocket.WebSocketHandler):
def check_origin(self, origin):
return True
However, the document recommends that you open it in a targeted manner based on cookies, or implement XSRF-like protection yourself.
Override to enable support for allowing alternate origins.
The origin argument is the value of the Origin HTTP header, the url responsible for initiating this request. This method is not called for clients that do not send this header; such requests are always allowed (because all browsers that implement WebSockets support this header, and non-browser clients do not have the same cross-site security concerns).
Should return True to accept the request or False to reject it. By default, rejects all requests with an origin on a host other than this one.
This is a security protection against cross site scripting attacks on browsers, since WebSockets are allowed to bypass the usual same-origin policies and don’t use CORS headers.
Warning
This is an important security measure; don’t disable it without understanding the security implications. In particular, if your authentication is cookie-based, you must either restrict the origins allowed by check_origin() or implement your own XSRF-like protection for websocket connections. See these articles for more.