The design of modern web browsers is that any origin (i.e. javascript running within the security context of any domain) can establish a WebSocket connection with any endpoint in the internet: the browsers themselves don't put any restrictions in this regard and they even send the associated cookies to the destination domain.
Therefore, it is required for WebSocket endpoints to verify that the "Origin" HTTP header specifies a domain which is allowed to talk to it - in most cases, this means "the domain the websocket endpoint is served from". For more information on this, see http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html.
Therefore, it would be useful to have a functionality in the WebSocketTransformer (or even more generically, HttpServer) which would allow the developer to specify a whitelist of domains (or regular expressions for them etc.), only from which requests will be allowed to be processed. This would potentially make it much easier for programmers to secure their WebSocket services and globally raise the awareness of the problem.
floitschG
commented
10 years ago
The design of modern web browsers is that any origin (i.e. javascript running within the security context of any domain) can establish a WebSocket connection with any endpoint in the internet: the browsers themselves don't put any restrictions in this regard and they even send the associated cookies to the destination domain.
Therefore, it is required for WebSocket endpoints to verify that the "Origin" HTTP header specifies a domain which is allowed to talk to it - in most cases, this means "the domain the websocket endpoint is served from". For more information on this, see http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html.
Therefore, it would be useful to have a functionality in the WebSocketTransformer (or even more generically, HttpServer) which would allow the developer to specify a whitelist of domains (or regular expressions for them etc.), only from which requests will be allowed to be processed. This would potentially make it much easier for programmers to secure their WebSocket services and globally raise the awareness of the problem.