-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebSocket Origin restrictions #20
Comments
I'm having a possibly related/inverted issue. I want to connect via a nodejs websocket. When trying to connect directly to the IP websocketd throws a 403 back at me. If I however use the a proper hostname I can connect. My problem is that I need to be able to connect using the IP. So ideally I need the --anyorigin...? |
Default needs explanation.
|
|
How about --origin=* instead of anyorigin? Trying to minimize number of flags would be good at this point :) |
👍 for --origin=* |
Thing about * is that most shells would attempt to wildcard complete. You'd On Thursday, April 3, 2014, Alex Sergeyev notifications@github.com wrote:
|
--origin=any or all ? |
See, "any" could actually represent a hostname for some fancy people. As an option to avoid shell wildcard it could be then --origin=- (minus) or --origin=. (dot) but it might be that --anyorigin is what we need to settle with... (just going to be another set of conflicting flags as --devconsole with cgidir/staticdir) |
I would actually like to see any be the default. And if users want to specify, pass the --origin flag. |
I can get behind that. It's convenient. In that case we'd need to add a On Thu, Apr 3, 2014 at 9:52 AM, asbjornenge notifications@github.comwrote:
|
Ok... usecases:
would that be correct? |
Also question... Should origin directives cause fatal failure if neither command nor --dir are specified? |
asergeyev/websocketd@master...originchecks IMO this will eventually lead to create proper "request" type that implements http.Request stuff, URLInfo, ... and defines libwebsocketd specific things. But for now there is just requestInfo handicap struct. This does not look bad, just probably needs to be armored by better comments. Comments welcome. I added http_test to start actually checking things not by running examples but by verifying logic :) Did not get far there though :( |
Background
WebSockets are cross domain by default. e.g. A page on http://foo can open a WebSocket on ws://bar.
User defined WebSocket endpoints can see the originating origin through the Origin HTTP header (exposed as HTTP_ORIGIN environment variable to scripts). If they wanted to restrict to certain origins, they could check at the beginning of the script and exit appropriately.
Problem
The above works, but:
Proposed solution
websocketd should perform origin checking and reject mismatches before invoking user scripts. Configuration via command line flags.
Examples:
The text was updated successfully, but these errors were encountered: