Open atx opened 7 years ago
Easiest solution is probably to implement the content security policy connect-src
directive. So WebSocket connections are only allowed from the same origin.
Easiest solution is probably to implement the content security policy
connect-src
directive. So WebSocket connections are only allowed from the same origin.
I don't think this would fix anything at all. The whole CSP is aimed at protecting a HTML page (so that a malicious injected script/resource cannot do much harm), but the reported vulnerability considers attacker connecting to the (unprotected) websocket endpoint. The endpoint itself has no notion of CSP/protection.
The websocket endpoint is missing CSRF (CSWSH) protection, allowing a malicious website to control the client.