Websocket Origin Validation #135

New issue

Open

opened 2025-12-23 11:44:31 +00:00 by j3d1 · 0 comments

j3d1 commented 2025-12-23 11:44:31 +00:00

Owner

Copy link

Django suggests to require the 'Origin' header to be set to the public domain of the server for all incoming websocket connections. Not all browsers seem to do that.
Figure out the potential attack vectors when the check is disabled and decide how to proceed

Django suggests to require the 'Origin' header to be set to the public domain of the server for all incoming websocket connections. Not all browsers seem to do that. Figure out the potential attack vectors when the check is disabled and decide how to proceed

j3d1 added the

Subsystem/Backend

Kind

Security

Priority

Medium

labels 2025-12-23 11:44:31 +00:00

j3d1 added this to the Software project 2025-12-23 11:44:31 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

live

testing

jedi/experimental/locking

clarity/interactive-shipment

jedi/test_new_nodejs

bton/tags

testing_stashed_1

jedi/more_tests

wip/docker_with_mail

wip/team_notifications

jedi/autodeploy_to_prod

jedi/forgejo-actions

wip/integration_testing

system2/frontend

system2/backend

system1

No results found.

Labels

Clear labels   

help wanted

  

question

  

Subsystem/Backend

  

Subsystem/Frontend

  

Subsystem/Mail

  

Kind

Breaking

Breaking change that won't be backward compatible

  

Kind

Bug

Something is not working

  

Kind

Documentation

Documentation changes

  

Kind

Enhancement

Improve existing functionality

  

Kind

Feature

New functionality

  

Kind

Security

This is security issue

  

Kind

Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No labels

help wanted

question

Subsystem/Backend

Subsystem/Frontend

Subsystem/Mail

Kind

Breaking

Kind

Bug

Kind

Documentation

Kind

Enhancement

Kind

Feature

Kind

Security

Kind

Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Need More Info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Software

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

c3lf/c3lf-system-3#135

No description provided.