-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate /websocket requests from browser dialer page #3295
Conversation
多加个环境变量不优雅,改为可以自定义 path 吧,比如这样 顺便把现在的基于
|
this requires the user to choose a secret path. I was trying to make the default invocation (the value copypasted from docs) safe by default. what do you think about sending a csrf token through the webpage, and sending it back from the browser when opening |
可以,Xray 启动时生成一个随机值就行 |
if conn, err := upgrader.Upgrade(w, r, nil); err == nil { | ||
conns <- conn | ||
} else { | ||
newError("Browser dialer http upgrade unexpected error").AtError().WriteToLog() | ||
} | ||
} else { | ||
w.Write(webpage) | ||
w.Write([]byte("<script>\ncsrfToken = \"")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is a bit hard to read, but I did not like the idea of using cookies or a templating engine
not entirely sure I understand the translation, but my concern is not local applications, but rather webpages, who cannot read environment variables anyway |
This PR is "ready" |
写复杂了 我改一下 |
Fix #3236
Validate the origin of inbound websocket requests by default.
If the user wants to change origin validation, they can set
XRAY_BROWSER_DIALER_ORIGIN=http://custom.localhost.net:3000
The current implementation is very inconvenient, because the origin is validated very strictly. If
XRAY_BROWSER_DIALER=http://127.0.0.1:3000
, then the user has to visit127.0.0.1
, notlocalhost
. Is there a function to normalize this difference? Should xray perform DNS requests to normalize host names (I think this could open more attack vectors, using DNS rebinding)