WebSocket Origin restrictions

[joewalnes]

Background

WebSockets are cross domain by default. e.g. A page on http://foo can open a WebSocket on ws://bar.

User defined WebSocket endpoints can see the originating origin through the Origin HTTP header (exposed as HTTP_ORIGIN environment variable to scripts). If they wanted to restrict to certain origins, they could check at the beginning of the script and exit appropriately.

Problem

The above works, but:

• It's tedious. If there are many scripts it would have to be applied to each of them.
• Security should be "on" by default.
• Deployment configuration (eg hostnames) gets buried in runtime code.

Proposed solution

websocketd should perform origin checking and reject mismatches before invoking user scripts. Configuration via command line flags.

Examples:

• Default: restrict to same origin only.
• "--origin=foo,bar:1234": only allow if origin is from http://foo (any port) or http://bar:1234
• "--anyorigin": Allow for any origin

[asbjornenge]

I'm having a possibly related/inverted issue. I want to connect via a nodejs websocket. When trying to connect directly to the IP websocketd throws a 403 back at me. If I however use the a proper hostname I can connect.

My problem is that I need to be able to connect using the IP. So ideally I need the --anyorigin...?

[asergeyev]

Default needs explanation.

1. Should be same hostname but any port in most cases? If I said --address=1.2.3.4 and I see Origin: hostname.com; should I resolve hostname.com and see if 1.2.3.4 is in the list of addresses I can fetch? Looks slightly expensive to do this on all requests but manageable.
2. What if Origin is "file://" ? Should websocketd be checking if localhost is in allowed origin list?
3. What if websocket listens on "", "0.0.0.0" or "::" .. should we allow any origin? I think that in this case "security is ON by default" gets harder to implement.

[joewalnes]

1. No resolution should occur. If user wants to allow from origin by IP address and hostname they should specify multiple options.
2. I think file should be a special case. By default not, but we can add a --fileorigin.
3. For the same origin case, rather than comparing the Origin header to the server listen, we should be comparing it to the sent Host header (i.e. what the browser thinks its talking to). The websocket bind address is not used.

[asergeyev]

How about --origin=* instead of anyorigin? Trying to minimize number of flags would be good at this point :)

[asbjornenge]

👍 for --origin=*

[joewalnes]

Thing about * is that most shells would attempt to wildcard complete. You'd
need to do --origin=* which looks messy.

On Thursday, April 3, 2014, Alex Sergeyev notifications@github.com wrote:

How about --origin=* instead of anyorigin? Trying to minimize number of
flags would be good at this point :)

Reply to this email directly or view it on GitHubhttps://github.com//issues/20#issuecomment-39446966
.

[asbjornenge]

--origin=any or all ?

[asergeyev]

See, "any" could actually represent a hostname for some fancy people.

As an option to avoid shell wildcard it could be then --origin=- (minus) or --origin=. (dot) but it might be that --anyorigin is what we need to settle with... (just going to be another set of conflicting flags as --devconsole with cgidir/staticdir)

[asbjornenge]

I would actually like to see any be the default. And if users want to specify, pass the --origin flag.

[joewalnes]

I can get behind that. It's convenient. In that case we'd need to add a
--sameorigin flag for the currently proposed default behavior.

On Thu, Apr 3, 2014 at 9:52 AM, asbjornenge notifications@github.comwrote:

I would actually like to see any be the default. And if users want to
specify, pass the --origin flag.

Reply to this email directly or view it on GitHubhttps://github.com//issues/20#issuecomment-39460608
.

[asergeyev]

Ok... usecases:

1. "--sameorigin" only: allow upgrade from any origin that matches currently requested Host header
2. "--origin foo,bar:12345": allow upgrade only when origin is foo:* or bar:12345
3. "--origin foo,bar:12345 --sameorigin": alow upgrade only when origin is foo:* or bar:12345 but only when it matches Host header
4. none of above - allow any origin

would that be correct?

[asergeyev]

Also question... Should origin directives cause fatal failure if neither command nor --dir are specified?

[asergeyev]

asergeyev/websocketd@master...originchecks
My vision of origin checks. It required slight refactor of things to prevent adding more and more arguments to acceptWebsocket and createEnv.

IMO this will eventually lead to create proper "request" type that implements http.Request stuff, URLInfo, ... and defines libwebsocketd specific things. But for now there is just requestInfo handicap struct. This does not look bad, just probably needs to be armored by better comments.

Comments welcome. I added http_test to start actually checking things not by running examples but by verifying logic :) Did not get far there though :(