Secure the websocket connection

[regner]

Concern: We have a websocket open that would allow anyone that connects to it access to any of the public and private data we push over it.

Scenario: Evil person comes along, creates nifty website, encourages many people to visit web site. After a while evil person adds a little script that attempts to connect to the localhost websocket. If successful it then ships the data off to its own backend.

This would be bad. Very bad.

There are a few ways this could be prevented:

• The most secure option: Require an authorization header. When the client starts, if there is no password configured in the config file generate one and save it in the config file. For windows we could easily add a menu option to the systray icon that copies the password to the clipboard (I assume Go has an easy option to put a string on the clipboard).
• The less secure option: Require a specific user-agent be set. A browser will not let applications change the user-agent. I don't know what this would do to things like an Electron application though.
• Another less secure option: Check the origin header. Browsers will set that to the current page and only accept requests that, if that is set, have it set to localhost.

Thoughts? @pcdummy

[oxisto]

Checking the origin header should be a first step, this should actually be pretty simple. What exactly is the websocket server used for?

[jochumdev]

Another option:

• Open a Popup: "Allow connection from Firefox?"

[regner]

@oxisto One of our objectives right now is to give more reason for people to download and install the client. A way we decided we could do that, and help the rest of the development community, was by offering a local websocket server. This would allow other developers to build applications without having to dig into the network packets. They could just tell their users to install the albiondata client along with their application and just connect to the local websocket server.