Gives 400 error with firefox, due to "Connection: keep-alive, Upgrade" header

[h2g2bob]

flask-sock works on chrome, but not firefox

The cause (I think) is that, if you make a new WebSocket(...), Firefox will send a Connection: keep-alive, Upgrade header; while chrome will send Connection: Upgrade.

A test case:

Using example/echo.py

Example echo program gives HTTP 400 error when

(
cat <<-HERE
GET /echo HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.5
Accept: */*
Cache-Control: no-cache
Connection: keep-alive, Upgrade
Host: localhost:5000
Origin: http://localhost:5000
Pragma: no-cache
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-origin
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: Si2vqsmnEu7aH/u5zilOqA==
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

HERE
sleep 60
) | nc.openbsd -C localhost 5000

Returns

HTTP/1.0 400 BAD REQUEST
Content-Type: text/html; charset=utf-8
Content-Length: 192
Server: Werkzeug/2.0.1 Python/3.7.3
Date: Wed, 25 Aug 2021 17:33:56 GMT

But the same test, but altering the Connection line from Connection: keep-alive, Upgrade to Connection: Upgrade gives a successful response:

HTTP/1.1 101 
Upgrade: WebSocket
Sec-WebSocket-Accept: jyls5FTT7go6ndRt0A4ynv482sU=

Thanks!

[miguelgrinberg]

This has been fixed long ago in Werkzeug (see https://github.com/pallets/werkzeug/issues/2131), but there hasn't been a release to PyPi since then. You can install Werkzeug's main branch from GitHub to get this fix.

[miguelgrinberg]

Werkzeug 2.0.2 has now been released with this fix.