Comments (10)
I don't want people to have to parse Origin
themselves and compare. I feel like they'd just give up due to the boilerplate and pass websocket.AcceptInsecureOrigin()
.
from websocket.
Todo open new issue about adding acceptinsecureorigin option
from websocket.
their code would be something like parsing the Origin header and then comparing the host of the origin header against some validated domains.
Line 175 in 932d16d
my concern is that during a refactoring, it'd be really easy to move around code and then miss this critical security check.
from websocket.
Or they don't realize they need to do a url.Parse
and do something like strings.Contains
which enables a CSRF attack I think.
from websocket.
Another option is to make AcceptOrigin take a closure that takes the origin header and returns a boolean if the origin header is ok, similar to gorilla/websocket. I think that'd be pretty reasonable tbh. Would be really simple code. I'd also have to make sure to always strings.LowerCase
the domain though so its easy for them to just use HasSuffix
or ==
and not EqualFold
.
from websocket.
Thats definitely the move.
from websocket.
Though, I can't really see a case where someone wants to accept origins that aren't just a list of domains.
from websocket.
Another issue I have with the current API is that it's hard to fully disable origin validation as you'll have to parse the domain out of the origin header and pass it to AcceptOrigins or remove the Origin header from the *http.Request which I suppose is reasonable but janky and *http.Request is documented to not ever be modified by handlers.
from websocket.
I think I just add a AcceptInsecureOrigin
option to disable validation and panic if both AcceptOrigins
and AcceptInsecureOrigin
are passed.
from websocket.
There are three situations
- You want to dial cross origin and have cookies be sent
- You want to dial cross origin and send auth via a query parameter or via a ws message
- You want to dial cross origin and not send auth
I don't think 1 is very common. I think 2 and 3 are far more common because 2 gives auth control to the dialing javascript and 3 allows public cross origin WebSocket servers.
I cannot think of a good scenario in which 1 would be used so I'm going to remove AcceptOrigins for now and just add AcceptInsecureOrigin
which I think will work better as it targets the common cases.
from websocket.
Related Issues (20)
- all goroutines are dead asleep - deadlock! wasm docs HOT 8
- Deadlocks due to CloseRead HOT 6
- Can't activate CORS for examples /chat/ HOT 2
- Reader() can only read one message, but Read() can read all messages HOT 5
- Error: panic: unaligned 64-bit atomic operation on arm32-bit while establishing websocket connection HOT 2
- Invalid readme example HOT 3
- Goroutine spike when closing connections in v1.8.10 (regression) HOT 3
- Transmit only single frame in Write when compression enabled too HOT 6
- Data race on `Conn.closeErr` HOT 3
- websocket.Conn.CloseNow() panics in WaitGroup.Wait HOT 2
- failed to get reader: use of closed network connection HOT 3
- Inline part of the full examples HOT 7
- Add custom ping message option to Ping function HOT 1
- failed to WebSocket dial: response body is not a io.ReadWriteCloser: io.nopCloserWriterTo HOT 1
- unsupported permessage-deflate parameter: "client_max_window_bits=15" from client HOT 8
- Update docs and mention explicit close required change in v1.8.11 HOT 16
- panic: sync: WaitGroup is reused before previous Wait has returned HOT 1
- Return net.ErrClosed from Read methods when connection is closed by us HOT 6
- failed: Close received after close HOT 6
- Document wsjson.Read closes the connection with the appropriate close status and error message if bad JSON is read
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from websocket.